| SubscriptionId | ResourceGroup | ResourceType | ResourceTags | ResourceLocation | IsCompliant | ComplianceState | EffectiveParameters | ResourceId | Resource | PolicySetDefinitionVersion | PolicySetDefinitionParameters | PolicySetDefinitionOwner | PolicySetDefinitionName | PolicySetDefinitionId | PolicySetDefinitionCategory | PolicyEvaluationDetails | PolicyDefinitionVersion | PolicyDefinitionReferenceId | PolicyDefinitionName | PolicyDefinitionId | PolicyDefinitionGroupNames | PolicyDefinitionCategory | PolicyDefinitionAction | PolicyAssignmentVersion | PolicyAssignmentScope | PolicyAssignmentParameters | PolicyAssignmentOwner | PolicyAssignmentName | PolicyAssignmentId | PolicyDescription | PolicyCategory | PolicyDisplayName |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect | 0b15565f-aa9e-48ba-8619-45960f2c314d | /providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Security Center | Email notification to subscription owner for high severity alerts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderfordnsshouldbeenabledmonitoringeffect | bdc59948-5574-49b3-bb91-76b7c986428d | /providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428d | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for DNS should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | virtualmachinesadvancedthreatprotectionmonitoringeffect | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | /providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Security Center | Azure Defender for servers should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforreadpermissionsmonitoringnew | 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | /providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | Accounts with read permissions on Azure resources should be MFA enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforwritepermissionsmonitoringeffect | 931e118d-50a1-4457-a5e4-78550e086c52 | /providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | Accounts with write permissions on Azure resources should be MFA enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | identityenablemfaforwritepermissionsmonitoring | 9297c21d-2ed6-4474-b48f-163f75654ce3 | /providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled for accounts with write permissions on your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforownerpermissionsmonitoringnew | e3e008c3-56b9-4133-8fd7-d3347377402a | /providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | Accounts with owner permissions on Azure resources should be MFA enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforownerpermissionsmonitoring | aa633080-8b72-40c4-a2d7-d00c03e80bed | /providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with owner permissions on your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatemorethanoneownermonitoring | 09024ccc-0c5f-475e-9457-b7c0d9ed487b | /providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | Security Center | There should be more than one owner assigned to your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatelessthanownersmonitoring | 4f11b553-d42e-4e3a-89be-32ca364cad4c | /providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | Security Center | A maximum of 3 owners should be designated for your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforresourcemanagershouldbeenabledmonitoringeffect | c3d20c29-b36d-48fe-808b-99a87530ad99 | /providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for Resource Manager should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect | 475aae12-b88a-4572-8b36-9b712b2b3a17 | /providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | Security Center | Auto provisioning of the Log Analytics agent should be enabled on your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | containersadvancedthreatprotectionmonitoringeffect | 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | /providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Security Center | Microsoft Defender for Containers should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | appservicesadvancedthreatprotectionmonitoringeffect | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | /providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Security Center | Azure Defender for App Service should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | storageaccountsadvanceddatasecuritymonitoringeffect | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | /providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Security Center | Azure Defender for Storage should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect | 6581d072-105e-4418-827f-bd446d56421b | /providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421b | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for SQL servers on machines should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversadvanceddatasecuritymonitoringeffect | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | /providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for Azure SQL Database servers should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | keyvaultsadvanceddatasecuritymonitoringeffect | 0e6763cc-5078-4e64-889d-ff4d9a839047 | /providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Security Center | Azure Defender for Key Vault should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoringnew | e9ac8f8e-ce22-4355-8f04-99b911d6be52 | /providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with read permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoring | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | /providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with read permissions should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoringnew | 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | /providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with write permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoring | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | /providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with write permissions should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoringnew | 339353f6-2387-4a45-abe4-7f529d121046 | /providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with owner permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountmonitoringnew | 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | /providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with read and write permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoring | f8456c1c-aa66-4dfb-861a-25d127b775c9 | /providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with owner permissions should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoringnew | 0cfea604-3201-4e14-88fc-fae4c427a6c5 | /providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with owner permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoring | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | /providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts with owner permissions should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountmonitoring | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | /providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoringnew | 0cfea604-3201-4e14-88fc-fae4c427a6c5 | /providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with owner permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountmonitoringnew | 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | /providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with read and write permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect | 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | /providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Security Center | Azure Defender for open-source relational databases should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | /providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Security Center | Email notification for high severity alerts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect | 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | /providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | Security Center | Subscriptions should have a contact email address for security issues |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | containersadvancedthreatprotectionmonitoringeffect | 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | /providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Security Center | Microsoft Defender for Containers should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect | 475aae12-b88a-4572-8b36-9b712b2b3a17 | /providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | Security Center | Auto provisioning of the Log Analytics agent should be enabled on your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | microsoftdefendercspmshouldbeenabledmonitoringeffect | 1f90fc71-a595-4066-8974-d4d0802e8ef0 | /providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Security Center | Microsoft Defender CSPM should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderfordnsshouldbeenabledmonitoringeffect | bdc59948-5574-49b3-bb91-76b7c986428d | /providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for DNS should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforresourcemanagershouldbeenabledmonitoringeffect | c3d20c29-b36d-48fe-808b-99a87530ad99 | /providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for Resource Manager should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | storageaccountsadvanceddatasecuritymonitoringeffect | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | /providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Security Center | Azure Defender for Storage should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect | 6581d072-105e-4418-827f-bd446d56421b | /providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421b | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for SQL servers on machines should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | keyvaultsadvanceddatasecuritymonitoringeffect | 0e6763cc-5078-4e64-889d-ff4d9a839047 | /providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Security Center | Azure Defender for Key Vault should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | virtualmachinesadvancedthreatprotectionmonitoringeffect | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | /providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Security Center | Azure Defender for servers should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | appservicesadvancedthreatprotectionmonitoringeffect | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | /providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Security Center | Azure Defender for App Service should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversadvanceddatasecuritymonitoringeffect | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | /providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for Azure SQL Database servers should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect | 0b15565f-aa9e-48ba-8619-45960f2c314d | /providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Security Center | Email notification to subscription owner for high severity alerts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | microsoftdefendercspmshouldbeenabledmonitoringeffect | 1f90fc71-a595-4066-8974-d4d0802e8ef0 | /providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Security Center | Microsoft Defender CSPM should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | /providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Security Center | Email notification for high severity alerts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect | 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | /providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | Security Center | Subscriptions should have a contact email address for security issues |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect | 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | /providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Security Center | Azure Defender for open-source relational databases should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoringnew | e9ac8f8e-ce22-4355-8f04-99b911d6be52 | /providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with read permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoring | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | /providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with read permissions should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoring | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | /providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with write permissions should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoringnew | 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | /providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with write permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoringnew | 339353f6-2387-4a45-abe4-7f529d121046 | /providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with owner permissions on Azure resources should be removed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoring | f8456c1c-aa66-4dfb-861a-25d127b775c9 | /providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with owner permissions should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountmonitoring | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | /providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoring | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | /providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts with owner permissions should be removed from your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforreadpermissionsmonitoring | e3576e28-8b17-4677-84c3-db2990658d64 | /providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with read permissions on your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforreadpermissionsmonitoring | e3576e28-8b17-4677-84c3-db2990658d64 | /providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with read permissions on your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b5612 | 87d31636-ad85-4caa-802d-1535972b5612 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b | 7fd64851-3279-459b-b614-e2b2ba760f5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b | 7fd64851-3279-459b-b614-e2b2ba760f5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51a | a16c43ca-2d67-4dcd-9ded-6412f5edc51a | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51a | a16c43ca-2d67-4dcd-9ded-6412f5edc51a | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2 | a48d7796-14b4-4889-afef-fbb65a93e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2 | a48d7796-14b4-4889-afef-fbb65a93e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2 | a48d7896-14b4-4889-afef-fbb65a96e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2 | a48d7896-14b4-4889-afef-fbb65a96e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/c4a381a4-0c4b-4e5c-9c4e-a373db9a2d89 | c4a381a4-0c4b-4e5c-9c4e-a373db9a2d89 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786 | fd1bb084-1503-4bd2-99c0-630220046786 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/c4a381a4-0c4b-4e5c-9c4e-a373db9a2d89 | c4a381a4-0c4b-4e5c-9c4e-a373db9a2d89 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforreadpermissionsmonitoringnew | 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | /providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | Accounts with read permissions on Azure resources should be MFA enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786 | fd1bb084-1503-4bd2-99c0-630220046786 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/ec8ea81d-6c21-48a8-8a22-0087a85c4fc5 | ec8ea81d-6c21-48a8-8a22-0087a85c4fc5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b5612 | 87d31636-ad85-4caa-802d-1535972b5612 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/ec8ea81d-6c21-48a8-8a22-0087a85c4fc5 | ec8ea81d-6c21-48a8-8a22-0087a85c4fc5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/2ad74d88-8c31-42a1-97fc-0c70e81932bf | 2ad74d88-8c31-42a1-97fc-0c70e81932bf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforwritepermissionsmonitoringeffect | 931e118d-50a1-4457-a5e4-78550e086c52 | /providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | Accounts with write permissions on Azure resources should be MFA enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | identityenablemfaforwritepermissionsmonitoring | 9297c21d-2ed6-4474-b48f-163f75654ce3 | /providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled for accounts with write permissions on your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforownerpermissionsmonitoringnew | e3e008c3-56b9-4133-8fd7-d3347377402a | /providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | Accounts with owner permissions on Azure resources should be MFA enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforownerpermissionsmonitoring | aa633080-8b72-40c4-a2d7-d00c03e80bed | /providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with owner permissions on your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatelessthanownersmonitoring | 4f11b553-d42e-4e3a-89be-32ca364cad4c | /providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | Security Center | A maximum of 3 owners should be designated for your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b2 | 21d96096-b162-414a-8302-d8354f9d91b2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | 01e7c251-3bed-4242-9d93-a5851b2e6671 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatemorethanoneownermonitoring | 09024ccc-0c5f-475e-9457-b7c0d9ed487b | /providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | Security Center | There should be more than one owner assigned to your subscription |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b2 | 21d96096-b162-414a-8302-d8354f9d91b2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/2ad74d88-8c31-42a1-97fc-0c70e81932bf | 2ad74d88-8c31-42a1-97fc-0c70e81932bf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f | 7aff565e-6c55-448d-83db-ccf482c6da2f | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/2f296bf1-1015-4c42-84b4-530f3d48ba9e | 2f296bf1-1015-4c42-84b4-530f3d48ba9e | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f | 7aff565e-6c55-448d-83db-ccf482c6da2f | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/2f296bf1-1015-4c42-84b4-530f3d48ba9e | 2f296bf1-1015-4c42-84b4-530f3d48ba9e | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsa | wolffsynapseadlsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacct | wolffsynadlsacct | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2 | wolffsynapsesa2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrg | covidmsreportingrg | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Synapse/workspaces | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.synapse/workspaces/wolffsynapseworkspace | wolffsynapseworkspace | 3.0.0 | | | 9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | /providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | security center | | 1.0.0 | deploythreatdetectiononsynapseworkspaces | 951c1558-50a5-4ca3-abb6-a93e3e2367a6 | /providers/microsoft.authorization/policydefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6 | | tbd | deployifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | DataProtectionSecurityCenter | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter | Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. | Security Center | Configure Microsoft Defender for SQL to be enabled on Synapse workspaces |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Synapse/workspaces | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.synapse/workspaces/wolffsynapsenewworkspace | wolffsynapsenewworkspace | 3.0.0 | | | 9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | /providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | security center | | 1.0.0 | deploythreatdetectiononsynapseworkspaces | 951c1558-50a5-4ca3-abb6-a93e3e2367a6 | /providers/microsoft.authorization/policydefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6 | | tbd | deployifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | DataProtectionSecurityCenter | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter | Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. | Security Center | Configure Microsoft Defender for SQL to be enabled on Synapse workspaces |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvault | wolffkeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | adfrg | Microsoft.Synapse/workspaces | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.synapse/workspaces/wolffsynapsewp3 | wolffsynapsewp3 | 3.0.0 | | | 9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | /providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | security center | | 1.0.0 | deploythreatdetectiononsynapseworkspaces | 951c1558-50a5-4ca3-abb6-a93e3e2367a6 | /providers/microsoft.authorization/policydefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6 | | tbd | deployifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | DataProtectionSecurityCenter | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter | Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. | Security Center | Configure Microsoft Defender for SQL to be enabled on Synapse workspaces |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | anomalydectrg | Microsoft.CognitiveServices/accounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalydector | wolffanomalydector | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | cognitiveservicesaccountsshouldrestrictnetworkaccessmonitoringeffect | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | /providers/microsoft.authorization/policydefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Cognitive Services | Cognitive Services accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | anomalydectrg | Microsoft.CognitiveServices/accounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalydector | wolffanomalydector | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | publicnetworkaccessshouldbedisabledforcognitiveservicesaccountsmonitoringeffect | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | /providers/microsoft.authorization/policydefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Cognitive Services | Cognitive Services accounts should disable public network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | anomalydectrg | Microsoft.CognitiveServices/accounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomaly | wolffanomaly | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | cognitiveservicesaccountsshouldrestrictnetworkaccessmonitoringeffect | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | /providers/microsoft.authorization/policydefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Cognitive Services | Cognitive Services accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | anomalydectrg | Microsoft.CognitiveServices/accounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomaly | wolffanomaly | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | cognitiveservicesaccountsshouldrestrictnetworkaccessmonitoringeffect | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | /providers/microsoft.authorization/policydefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Cognitive Services | Cognitive Services accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | anomalydectrg | Microsoft.CognitiveServices/accounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomaly | wolffanomaly | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | publicnetworkaccessshouldbedisabledforcognitiveservicesaccountsmonitoringeffect | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | /providers/microsoft.authorization/policydefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Cognitive Services | Cognitive Services accounts should disable public network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | anomalydectrg | Microsoft.CognitiveServices/accounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomaly | wolffanomaly | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | publicnetworkaccessshouldbedisabledforcognitiveservicesaccountsmonitoringeffect | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | /providers/microsoft.authorization/policydefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Cognitive Services | Cognitive Services accounts should disable public network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | anomalydectrg | Microsoft.CognitiveServices/accounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalydector | wolffanomalydector | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | publicnetworkaccessshouldbedisabledforcognitiveservicesaccountsmonitoringeffect | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | /providers/microsoft.authorization/policydefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Cognitive Services | Cognitive Services accounts should disable public network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | anomalydectrg | Microsoft.CognitiveServices/accounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalydector | wolffanomalydector | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | cognitiveservicesaccountsshouldrestrictnetworkaccessmonitoringeffect | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | /providers/microsoft.authorization/policydefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Cognitive Services | Cognitive Services accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnet/subnets/private-subnet | private-subnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnet/subnets/public-subnet | public-subnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnet | workers-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnet | workers-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnet | workers-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | databricks-rg-wolffdatabricks-fwcg6zc572rwo | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6udua | dbstorageup2c3j2q6udua | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486 | wolffdevtestlab3486 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492 | awolffdevtestlab8492 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | devtestrg | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279 | wolffdevtestlab19fb3279 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | IOTRG | Microsoft.Devices/IotHubs | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/iotrg/providers/microsoft.devices/iothubs/wolffiothub | wolffiothub | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | diagnosticslogsiniothubmonitoring | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | /providers/microsoft.authorization/policydefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Internet of Things | Resource logs in IoT Hub should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | IOTRG | Microsoft.Devices/IotHubs | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/iotrg/providers/microsoft.devices/iothubs/wolffiothub | wolffiothub | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | diagnosticslogsiniothubmonitoring | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | /providers/microsoft.authorization/policydefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Internet of Things | Resource logs in IoT Hub should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwacrrg | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacr | jwolfftestacr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwacrrg | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacr | jwolfftestacr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwacrrg | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacr | jwolfftestacr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwacrrg | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacr | jwolfftestacr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwacrrg | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacr | jwolfftestacr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwacrrg | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacr | jwolfftestacr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwRedisrg | Microsoft.Cache/Redis | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwredisrg/providers/microsoft.cache/redis/jwredis | jwredis | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | diagnosticslogsinrediscachemonitoring | 22bee202-a82f-4305-9a2a-6d7f44d4dedb | /providers/microsoft.authorization/policydefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Cache | Only secure connections to your Azure Cache for Redis should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwRedisrg | Microsoft.Cache/Redis | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwredisrg/providers/microsoft.cache/redis/jwredis | jwredis | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azurecacheforredisshoulduseprivateendpointmonitoringeffect | 7803067c-7d34-46e3-8c79-0ca68fc4036d | /providers/microsoft.authorization/policydefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | Cache | Azure Cache for Redis should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwRedisrg | Microsoft.Cache/Redis | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwredisrg/providers/microsoft.cache/redis/jwredis | jwredis | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azurecacheforredisshoulduseprivateendpointmonitoringeffect | 7803067c-7d34-46e3-8c79-0ca68fc4036d | /providers/microsoft.authorization/policydefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | Cache | Azure Cache for Redis should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | jwRedisrg | Microsoft.Cache/Redis | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwredisrg/providers/microsoft.cache/redis/jwredis | jwredis | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | diagnosticslogsinrediscachemonitoring | 22bee202-a82f-4305-9a2a-6d7f44d4dedb | /providers/microsoft.authorization/policydefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Cache | Only secure connections to your Azure Cache for Redis should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/databrickssn | databrickssn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/azurefirewallmanagementsubnet | azurefirewallmanagementsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet | msuscsavnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/azurefirewallsubnet | azurefirewallsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet | msuscsavnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet | msuscsavnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/devtestlabsn | devtestlabsn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus | msusvnetwestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/batchsn | batchsn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/avdsn | avdsn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus | msusvnetwestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/cyclecoudsn | cyclecoudsn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/cyclecloudsnslurmlabclustersn | cyclecloudsnslurmlabclustersn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus | msusvnetwestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | MSUSCSAVNETRG | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsa | batchshellsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg-asr | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asr/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg-asr | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asr/subnets/cyclecloudsnslurmlabclustersn | cyclecloudsnslurmlabclustersn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg-asr | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asr/subnets/batchsn | batchsn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg-asr | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asr | msuscsavnet-asr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg-asr | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asr | msuscsavnet-asr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msuscsavnetrg-asr | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asr | msuscsavnet-asr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msusvnetwestrg | Microsoft.Network/virtualNetworks | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwest | msusvnetwest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msusvnetwestrg | Microsoft.Network/virtualNetworks | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwest | msusvnetwest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msusvnetwestrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwest/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msusvnetwestrg | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwest | msusvnetwest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msusvnetwestrg | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwest | msusvnetwest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msusvnetwestrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwest/subnets/synapsedatabrickssn | synapsedatabrickssn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | msusvnetwestrg | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwest | msusvnetwest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolff | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspace | wolffsynapseworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolff | Microsoft.Sql/servers | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspace | wolffsynapseworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolff | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspace | wolffsynapseworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolff | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspace | wolffsynapseworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolff | Microsoft.Sql/servers | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspace | wolffsynapseworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolff | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspace | wolffsynapseworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolff | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspace | wolffsynapseworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolff | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspace | wolffsynapseworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Automation/automationAccounts/variables | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/sequencestop | sequencestop | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | encryptionofautomationaccountmonitoring | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | /providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 | azure_security_benchmark_v3.0_dp-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is important to enable encryption of Automation account variable assets when storing sensitive data | Automation | Automation account variables should be encrypted |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Automation/automationAccounts/variables | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/sequencestop | sequencestop | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | encryptionofautomationaccountmonitoring | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | /providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 | azure_security_benchmark_v3.0_dp-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is important to enable encryption of Automation account variable assets when storing sensitive data | Automation | Automation account variables should be encrypted |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Automation/automationAccounts/variables | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/sequencestart | sequencestart | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | encryptionofautomationaccountmonitoring | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | /providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 | azure_security_benchmark_v3.0_dp-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is important to enable encryption of Automation account variable assets when storing sensitive data | Automation | Automation account variables should be encrypted |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Automation/automationAccounts/variables | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/sequencestart | sequencestart | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | encryptionofautomationaccountmonitoring | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | /providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 | azure_security_benchmark_v3.0_dp-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is important to enable encryption of Automation account variable assets when storing sensitive data | Automation | Automation account variables should be encrypted |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Automation/automationAccounts/variables | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/action | action | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | encryptionofautomationaccountmonitoring | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | /providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 | azure_security_benchmark_v3.0_dp-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is important to enable encryption of Automation account variable assets when storing sensitive data | Automation | Automation account variables should be encrypted |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Automation/automationAccounts/variables | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/action | action | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | encryptionofautomationaccountmonitoring | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | /providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 | azure_security_benchmark_v3.0_dp-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is important to enable encryption of Automation account variable assets when storing sensitive data | Automation | Automation account variables should be encrypted |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Automation/automationAccounts/variables | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/subscription | subscription | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | encryptionofautomationaccountmonitoring | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | /providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 | azure_security_benchmark_v3.0_dp-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is important to enable encryption of Automation account variable assets when storing sensitive data | Automation | Automation account variables should be encrypted |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | functionapprestrictcorsaccessmonitoring | 0820b7b9-23aa-4725-a1ce-ae4558f718e5 | /providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5 | azure_security_benchmark_v3.0_pv-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | App Service | Function apps should not have CORS configured to allow every resource to access your apps |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Automation/automationAccounts/variables | tbd | | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/subscription | subscription | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | encryptionofautomationaccountmonitoring | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | /providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 | azure_security_benchmark_v3.0_dp-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is important to enable encryption of Automation account variable assets when storing sensitive data | Automation | Automation account variables should be encrypted |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | functionappsshouldhaveclientcertificatesenabledmonitoringeffect | eaebaea7-8013-4ceb-9d14-7eb32271373c | /providers/microsoft.authorization/policydefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c | azure_security_benchmark_v3.0_pv-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | App Service | Function apps should have 'Client Certificates (Incoming client certificates)' enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | functionappenforcehttpsmonitoring | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | /providers/microsoft.authorization/policydefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | App Service | Function apps should only be accessible over HTTPS |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | functionappsshouldhaveclientcertificatesenabledmonitoringeffect | eaebaea7-8013-4ceb-9d14-7eb32271373c | /providers/microsoft.authorization/policydefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c | azure_security_benchmark_v3.0_pv-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | App Service | Function apps should have 'Client Certificates (Incoming client certificates)' enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | functionappenforcehttpsmonitoring | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | /providers/microsoft.authorization/policydefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | App Service | Function apps should only be accessible over HTTPS |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsa | wolffautomationsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | functionappdisableremotedebuggingmonitoring | 0e60b895-3786-45da-8377-9c6b4b6ac5f9 | /providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9 | azure_security_benchmark_v3.0_pv-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | App Service | Function apps should have remote debugging turned off |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | ftpsonlyshouldberequiredinyourfunctionappmonitoringeffect | 399b2637-a50f-4f95-96f8-3a145476eb15 | /providers/microsoft.authorization/policydefinitions/399b2637-a50f-4f95-96f8-3a145476eb15 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable FTPS enforcement for enhanced security. | App Service | Function apps should require FTPS only |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | functionappdisableremotedebuggingmonitoring | 0e60b895-3786-45da-8377-9c6b4b6ac5f9 | /providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9 | azure_security_benchmark_v3.0_pv-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | App Service | Function apps should have remote debugging turned off |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | managedidentityshouldbeusedinyourfunctionappmonitoringeffect | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | /providers/microsoft.authorization/policydefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f | azure_security_benchmark_v3.0_im-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use a managed identity for enhanced authentication security | App Service | Function apps should use managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | latesttlsversionshouldbeusedinyourfunctionappmonitoringeffect | f9d614c5-c173-4d56-95a7-b4437057d193 | /providers/microsoft.authorization/policydefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | App Service | Function apps should use the latest TLS version |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | functionapprestrictcorsaccessmonitoring | 0820b7b9-23aa-4725-a1ce-ae4558f718e5 | /providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5 | azure_security_benchmark_v3.0_pv-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | App Service | Function apps should not have CORS configured to allow every resource to access your apps |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | managedidentityshouldbeusedinyourfunctionappmonitoringeffect | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | /providers/microsoft.authorization/policydefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f | azure_security_benchmark_v3.0_im-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use a managed identity for enhanced authentication security | App Service | Function apps should use managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsd | wolffautosaa32nsd | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffautorg | Microsoft.Web/sites | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53y | wolffautofuncappa32nsdegjr53y | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | latesttlsversionshouldbeusedinyourfunctionappmonitoringeffect | f9d614c5-c173-4d56-95a7-b4437057d193 | /providers/microsoft.authorization/policydefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | App Service | Function apps should use the latest TLS version |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffbillingrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsa | wolffbillingsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2 | wolffdevtstlab2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffdevtestlab949167712000 | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab | wolffdevtestlab | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolfffilesrg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessa | wolfffilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffhpcperfrg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsa | gbbnfstestsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmg | Microsoft.Sql/servers | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3 | wolffsynapsewp3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmg | Microsoft.Sql/servers | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3 | wolffsynapsewp3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmg | Microsoft.Sql/servers | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3 | wolffsynapsewp3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmg | Microsoft.Sql/servers | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3 | wolffsynapsewp3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmg | Microsoft.Sql/servers | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3 | wolffsynapsewp3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmg | Microsoft.Sql/servers | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3 | wolffsynapsewp3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmg | Microsoft.Sql/servers | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3 | wolffsynapsewp3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmg | Microsoft.Sql/servers | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3 | wolffsynapsewp3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmgmtwest3rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnet/subnets/sqlsn | sqlsn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmgmtwest3rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmgmtwest3rg | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnet | wolffwest3vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmgmtwest3rg | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnet | wolffwest3vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffmgmtwest3rg | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnet | wolffwest3vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.ServiceBus/namespaces | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.servicebus/namespaces/wolffsbnamespace140373 | wolffsbnamespace140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinservicebusmonitoring | f8d36e2f-389b-4ee4-898d-21aeb69a0f45 | /providers/microsoft.authorization/policydefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Service Bus | Resource logs in Service Bus should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | | | | | | | | | | 37e71fce-000a-453e-bb64-6e06cb2af34e | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34e | | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | 50b6c395621b4c99a8693ae9 | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9 | alert to enable metrics to storage account blob sizes | Alerts | Custom policy for alerts on blob storage |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.ServiceBus/namespaces | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.servicebus/namespaces/wolffsbnamespace140373 | wolffsbnamespace140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinservicebusmonitoring | f8d36e2f-389b-4ee4-898d-21aeb69a0f45 | /providers/microsoft.authorization/policydefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Service Bus | Resource logs in Service Bus should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Devices/IotHubs | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.devices/iothubs/wolfftesthub140373 | wolfftesthub140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | diagnosticslogsiniothubmonitoring | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | /providers/microsoft.authorization/policydefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Internet of Things | Resource logs in IoT Hub should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Devices/IotHubs | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.devices/iothubs/wolfftesthub140373 | wolfftesthub140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | diagnosticslogsiniothubmonitoring | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | /providers/microsoft.authorization/policydefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Internet of Things | Resource logs in IoT Hub should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffresources | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffresources | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373 | wolffsa140373 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffresources | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffresources | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | WOLFFRESOURCES | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog | wolffwin11testlog | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSRegionNonProd | | tbd | 926b3266e40c4140b798c8a2 | /providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2 | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffResources | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest | wolffaadlogintest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | sqlserverauditingmonitoring | a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | SQL | Auditing on SQL server should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers/databases | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr/databases/wolffwest3db | wolffwest3db | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | sqldbencryptionmonitoring | 17k78e20-9358-41c9-923c-fb736d382a12 | /providers/microsoft.authorization/policydefinitions/17k78e20-9358-41c9-923c-fb736d382a12 | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | SQL | Transparent Data Encryption on SQL databases should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers/databases | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr/databases/wolffwest3db | wolffwest3db | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | sqldbencryptionmonitoring | 17k78e20-9358-41c9-923c-fb736d382a12 | /providers/microsoft.authorization/policydefinitions/17k78e20-9358-41c9-923c-fb736d382a12 | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | SQL | Transparent Data Encryption on SQL databases should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | sqlserversshouldbeconfiguredwithauditingretentiondaysgreaterthan90daysmonitoringeffect | 89099bee-89e0-4b26-a5f4-165451757743 | /providers/microsoft.authorization/policydefinitions/89099bee-89e0-4b26-a5f4-165451757743 | azure_security_benchmark_v3.0_lt-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | SQL | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | sqlserversshouldbeconfiguredwithauditingretentiondaysgreaterthan90daysmonitoringeffect | 89099bee-89e0-4b26-a5f4-165451757743 | /providers/microsoft.authorization/policydefinitions/89099bee-89e0-4b26-a5f4-165451757743 | azure_security_benchmark_v3.0_lt-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | SQL | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 3.0.0 | | | 9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | /providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | security center | | 2.1.0 | deploythreatdetectiononsqlservers | 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | /providers/microsoft.authorization/policydefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | | tbd | deployifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | DataProtectionSecurityCenter | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | SQL | Configure Azure Defender to be enabled on SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vulnerabilityassessmentonservermonitoring | ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | /providers/microsoft.authorization/policydefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | SQL | Vulnerability assessment should be enabled on your SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | sqlserverauditingmonitoring | a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | SQL | Auditing on SQL server should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | sqlserveradvanceddatasecuritymonitoring | abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | /providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit SQL servers without Advanced Data Security | SQL | Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | sqlserveradvanceddatasecuritymonitoring | abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | /providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | System.Object[] | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit SQL servers without Advanced Data Security | SQL | Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vulnerabilityassessmentonservermonitoring | ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | /providers/microsoft.authorization/policydefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | SQL | Vulnerability assessment should be enabled on your SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsqlwest3rg | Microsoft.Sql/servers | tbd | westus3 | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr | wolffwest3sqlsvr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsynapseMG | Microsoft.Sql/servers | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspace | wolffsynapsenewworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsynapseMG | Microsoft.Sql/servers | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspace | wolffsynapsenewworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsynapseMG | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspace | wolffsynapsenewworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsynapseMG | Microsoft.Sql/servers | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspace | wolffsynapsenewworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsynapseMG | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspace | wolffsynapsenewworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsynapseMG | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspace | wolffsynapsenewworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsynapseMG | Microsoft.Sql/servers | tbd | eastus | False | NonCompliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspace | wolffsynapsenewworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSRegion | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 01e7c251-3bed-4242-9d93-a5851b2e6671 | wolffsynapseMG | Microsoft.Sql/servers | tbd | eastus | True | Compliant | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspace | wolffsynapsenewworkspace | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671 | | tbd | SecurityCenterBuiltIn | /subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforresourcemanagershouldbeenabledmonitoringeffect | c3d20c29-b36d-48fe-808b-99a87530ad99 | /providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for Resource Manager should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | /providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Security Center | Email notification for high severity alerts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | storageaccountsadvanceddatasecuritymonitoringeffect | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | /providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Security Center | Azure Defender for Storage should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect | 475aae12-b88a-4572-8b36-9b712b2b3a17 | /providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | Security Center | Auto provisioning of the Log Analytics agent should be enabled on your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | virtualmachinesadvancedthreatprotectionmonitoringeffect | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | /providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Security Center | Azure Defender for servers should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect | 0b15565f-aa9e-48ba-8619-45960f2c314d | /providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Security Center | Email notification to subscription owner for high severity alerts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | appservicesadvancedthreatprotectionmonitoringeffect | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | /providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Security Center | Azure Defender for App Service should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect | 6581d072-105e-4418-827f-bd446d56421b | /providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421b | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for SQL servers on machines should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | containersadvancedthreatprotectionmonitoringeffect | 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | /providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Security Center | Microsoft Defender for Containers should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | keyvaultsadvanceddatasecuritymonitoringeffect | 0e6763cc-5078-4e64-889d-ff4d9a839047 | /providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Security Center | Azure Defender for Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoring | f8456c1c-aa66-4dfb-861a-25d127b775c9 | /providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with owner permissions should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | microsoftdefendercspmshouldbeenabledmonitoringeffect | 1f90fc71-a595-4066-8974-d4d0802e8ef0 | /providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Security Center | Microsoft Defender CSPM should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoring | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | /providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with read permissions should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoringnew | e9ac8f8e-ce22-4355-8f04-99b911d6be52 | /providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with read permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoringnew | 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | /providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with write permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoring | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | /providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with write permissions should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoringnew | 339353f6-2387-4a45-abe4-7f529d121046 | /providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with owner permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountmonitoringnew | 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | /providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with read and write permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | microsoftdefendercspmshouldbeenabledmonitoringeffect | 1f90fc71-a595-4066-8974-d4d0802e8ef0 | /providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Security Center | Microsoft Defender CSPM should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoringnew | 0cfea604-3201-4e14-88fc-fae4c427a6c5 | /providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with owner permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountmonitoring | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | /providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderfordnsshouldbeenabledmonitoringeffect | bdc59948-5574-49b3-bb91-76b7c986428d | /providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for DNS should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderfordnsshouldbeenabledmonitoringeffect | bdc59948-5574-49b3-bb91-76b7c986428d | /providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for DNS should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/8dbd36c6-8339-4e7f-a9c7-dd2d6fb5b4af | 8dbd36c6-8339-4e7f-a9c7-dd2d6fb5b4af | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect | 0b15565f-aa9e-48ba-8619-45960f2c314d | /providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Security Center | Email notification to subscription owner for high severity alerts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/3aec7956-05e7-4818-bcd4-7e8496af8255 | 3aec7956-05e7-4818-bcd4-7e8496af8255 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/3aec7956-05e7-4818-bcd4-7e8496af8255 | 3aec7956-05e7-4818-bcd4-7e8496af8255 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f | 7aff565e-6c55-448d-83db-ccf482c6da2f | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f | 7aff565e-6c55-448d-83db-ccf482c6da2f | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/69724c51-5cfa-40c8-a937-6ffe37c7d6b9 | 69724c51-5cfa-40c8-a937-6ffe37c7d6b9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/69724c51-5cfa-40c8-a937-6ffe37c7d6b9 | 69724c51-5cfa-40c8-a937-6ffe37c7d6b9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b | 7fd64851-3279-459b-b614-e2b2ba760f5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b | 7fd64851-3279-459b-b614-e2b2ba760f5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect | 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | /providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Security Center | Azure Defender for open-source relational databases should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b5612 | 87d31636-ad85-4caa-802d-1535972b5612 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b5612 | 87d31636-ad85-4caa-802d-1535972b5612 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforreadpermissionsmonitoringnew | 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | /providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | Accounts with read permissions on Azure resources should be MFA enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/8dbd36c6-8339-4e7f-a9c7-dd2d6fb5b4af | 8dbd36c6-8339-4e7f-a9c7-dd2d6fb5b4af | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversadvanceddatasecuritymonitoringeffect | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | /providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for Azure SQL Database servers should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | /providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Security Center | Email notification for high severity alerts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect | 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | /providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | Security Center | Subscriptions should have a contact email address for security issues |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoring | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | /providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts with owner permissions should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatelessthanownersmonitoring | 4f11b553-d42e-4e3a-89be-32ca364cad4c | /providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | Security Center | A maximum of 3 owners should be designated for your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforwritepermissionsmonitoringeffect | 931e118d-50a1-4457-a5e4-78550e086c52 | /providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | Accounts with write permissions on Azure resources should be MFA enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforwritepermissionsmonitoringeffect | 931e118d-50a1-4457-a5e4-78550e086c52 | /providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | Accounts with write permissions on Azure resources should be MFA enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforreadpermissionsmonitoring | e3576e28-8b17-4677-84c3-db2990658d64 | /providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with read permissions on your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | identityenablemfaforwritepermissionsmonitoring | 9297c21d-2ed6-4474-b48f-163f75654ce3 | /providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled for accounts with write permissions on your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforownerpermissionsmonitoringnew | e3e008c3-56b9-4133-8fd7-d3347377402a | /providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | Accounts with owner permissions on Azure resources should be MFA enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforownerpermissionsmonitoring | aa633080-8b72-40c4-a2d7-d00c03e80bed | /providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with owner permissions on your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatemorethanoneownermonitoring | 09024ccc-0c5f-475e-9457-b7c0d9ed487b | /providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | Security Center | There should be more than one owner assigned to your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatelessthanownersmonitoring | 4f11b553-d42e-4e3a-89be-32ca364cad4c | /providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | Security Center | A maximum of 3 owners should be designated for your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51a | a16c43ca-2d67-4dcd-9ded-6412f5edc51a | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51a | a16c43ca-2d67-4dcd-9ded-6412f5edc51a | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2 | a48d7796-14b4-4889-afef-fbb65a93e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2 | a48d7796-14b4-4889-afef-fbb65a93e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2 | a48d7896-14b4-4889-afef-fbb65a96e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2 | a48d7896-14b4-4889-afef-fbb65a96e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b2 | 21d96096-b162-414a-8302-d8354f9d91b2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoring | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | /providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts with owner permissions should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforreadpermissionsmonitoringnew | 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | /providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | Accounts with read permissions on Azure resources should be MFA enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountmonitoring | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | /providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoringnew | 0cfea604-3201-4e14-88fc-fae4c427a6c5 | /providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with owner permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect | 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | /providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | Security Center | Subscriptions should have a contact email address for security issues |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | identityenablemfaforwritepermissionsmonitoring | 9297c21d-2ed6-4474-b48f-163f75654ce3 | /providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled for accounts with write permissions on your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforresourcemanagershouldbeenabledmonitoringeffect | c3d20c29-b36d-48fe-808b-99a87530ad99 | /providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for Resource Manager should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforownerpermissionsmonitoringnew | e3e008c3-56b9-4133-8fd7-d3347377402a | /providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | Accounts with owner permissions on Azure resources should be MFA enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforownerpermissionsmonitoring | aa633080-8b72-40c4-a2d7-d00c03e80bed | /providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with owner permissions on your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatemorethanoneownermonitoring | 09024ccc-0c5f-475e-9457-b7c0d9ed487b | /providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | Security Center | There should be more than one owner assigned to your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect | 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | /providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Security Center | Azure Defender for open-source relational databases should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect | 475aae12-b88a-4572-8b36-9b712b2b3a17 | /providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | Security Center | Auto provisioning of the Log Analytics agent should be enabled on your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | virtualmachinesadvancedthreatprotectionmonitoringeffect | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | /providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Security Center | Azure Defender for servers should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | containersadvancedthreatprotectionmonitoringeffect | 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | /providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Security Center | Microsoft Defender for Containers should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforreadpermissionsmonitoring | e3576e28-8b17-4677-84c3-db2990658d64 | /providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with read permissions on your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | appservicesadvancedthreatprotectionmonitoringeffect | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | /providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Security Center | Azure Defender for App Service should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | storageaccountsadvanceddatasecuritymonitoringeffect | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | /providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Security Center | Azure Defender for Storage should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | keyvaultsadvanceddatasecuritymonitoringeffect | 0e6763cc-5078-4e64-889d-ff4d9a839047 | /providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Security Center | Azure Defender for Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversadvanceddatasecuritymonitoringeffect | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | /providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for Azure SQL Database servers should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoringnew | e9ac8f8e-ce22-4355-8f04-99b911d6be52 | /providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with read permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoring | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | /providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with read permissions should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoringnew | 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | /providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with write permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoring | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | /providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with write permissions should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoringnew | 339353f6-2387-4a45-abe4-7f529d121046 | /providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with owner permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoring | f8456c1c-aa66-4dfb-861a-25d127b775c9 | /providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with owner permissions should be removed from your subscription |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountmonitoringnew | 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | /providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with read and write permissions on Azure resources should be removed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | 1d81cec7-7ded-4731-884e-90c5aa59c622 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect | 6581d072-105e-4418-827f-bd446d56421b | /providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421b | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for SQL servers on machines should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b2 | 21d96096-b162-414a-8302-d8354f9d91b2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786 | fd1bb084-1503-4bd2-99c0-630220046786 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786 | fd1bb084-1503-4bd2-99c0-630220046786 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnet | amatvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnet | amatvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnet/subnets/admin | admin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnet | amatvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnet | amatvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnet | amatvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump | amatcc-jump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | amatcc | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1 | amatcc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4 | armtestvm4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2 | armtestvm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1 | armtestvm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga | server-gzstsmlegeygmljqmztgiljuga | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3 | armtestvm3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5 | armtestvm5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/viz | viz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/lustre-mgt | lustre-mgt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/gatewaysubnet | gatewaysubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/login | login | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/hpcpack | hpcpack | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/infra | infra | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/anf | anf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet | armtestvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1 | armtest-mdb1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformariadbserversmonitoringeffect | 0a1302fb-a631-4106-9753-f3d494733990 | /providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1 | armtest-mdb1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformariadbserversmonitoringeffect | 0a1302fb-a631-4106-9753-f3d494733990 | /providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.DBforMariaDB/servers | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1 | armtest-mdb1 | 1.0.1 | | | e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | /providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | security center | | 1.0.1 | deployadvancedthreatprotectiononazuredatabaseformariadbserver | a6cf7411-da9e-49e2-aec0-cba0250eaf8c | /providers/microsoft.authorization/policydefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8c | | tbd | deployifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | OpenSourceRelationalDatabasesProtectionSecurityCenter | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenter | Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | SQL | Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1 | armtest-mdb1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffect | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | /providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1 | armtest-mdb1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | /providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MariaDB |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1 | armtest-mdb1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffect | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | /providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1 | armtest-mdb1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | /providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MariaDB |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet | armtestvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtest-vnet | armtest-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtest-vnet/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmove | armtestmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1 | arm-cc-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdj | oss-4cdsx3j5brhdj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm | armtest-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm | armtest-jump-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1 | armccstorage1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2 | armtestvnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtest-vnet | armtest-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2 | armtestvnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2 | armtestvnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2 | armtestvnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv | mds-mmztemzug5rtgljxgfswkljugv | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2 | armtestvnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet | armtestvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet | armtestvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtest-vnet | armtest-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | armtest | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet | armtestvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ARMTEST | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy | filer-g5rwmzlemi2gmllemiytaljugy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.MachineLearningServices/workspaces | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.machinelearningservices/workspaces/aw-aml-wk2 | aw-aml-wk2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.MachineLearningServices/workspaces | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.machinelearningservices/workspaces/aw-aml-wk2 | aw-aml-wk2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2 | awamlacr2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2 | awamlacr2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2 | awamlacr2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2 | awamlacr2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2 | awamlacr2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2 | awamlacr2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799 | awamlwk29359386799 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-aml-rg2 | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602 | awamlwk26303667602 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1 | aw-hpcpk-kv1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2 | hpck3veskbap4wn2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | awhpcpk | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk | awhpcpk | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | aw-infra | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1 | aw-dc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2 | azlcliofilestorepremium2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnet | clio-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnet | clio-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnet | clio-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnet/subnets/sn-anf | sn-anf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstor | azclcliobenchstor | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnet/subnets/sn-compute | sn-compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azcl-cliobench | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate | azcl-imagecreate | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.network/virtualnetworks/vnet-spill | vnet-spill | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.network/virtualnetworks/vnet-spill | vnet-spill | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.network/virtualnetworks/vnet-spill/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.network/virtualnetworks/vnet-spill | vnet-spill | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azhpc-spillbox | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjump | azhpc-spillboxjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreview/subnets/sn-compute | sn-compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreview | vnet-mcpreview | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreview | vnet-mcpreview | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreview/subnets/sn-anf | sn-anf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreview/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreview | vnet-mcpreview | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-MC-preview-rg | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiag | azmcpreviewrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | az-mc-preview-rg | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01 | az-mc-previewvm01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01 | azpr-sixnines-pure-vnet01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01 | azpr-sixnines-pure-vnet01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01/subnets/storage | storage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01/subnets/cycle | cycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01 | azpr-sixnines-pure-vnet01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AZPR-SIXNINES-PURE | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver | cyclecloudserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01 | ck-linux-01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | azpr-sixnines-pure | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01 | ck-win-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.network/virtualnetworks/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet | azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.network/virtualnetworks/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet/subnets/subnet-1 | subnet-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.network/virtualnetworks/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet | azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.network/virtualnetworks/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet | azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-C | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-southcentralus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86 | cs710030000a84d7f86 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | cloud-shell-storage-westus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56 | cs410030000a84e3c56 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | defaultresourcegroup-scus | microsoft.operationalinsights/workspaces/linkedServices | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/linkedservices/security | security | | | | | | | | | | Automanage workspace policy | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage workspace policy | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUS | | tbd | Automanage workspace assignment | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/providers/microsoft.authorization/policyassignments/automanage workspace assignment | Monitors workspace and ensures the automation account is linked | General | Automanage workspace policy |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | DefaultResourceGroup-SCUS | Microsoft.OperationsManagement/solutions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationsmanagement/solutions/changetracking(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus) | changetracking(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus) | | | | | | | | | | Automanage solutions policy | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage solutions policy | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationsManagement/solutions/ChangeTracking(DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUS) | | tbd | Automanage ChangeTracking solution assignment | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationsmanagement/solutions/changetracking(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus)/providers/microsoft.authorization/policyassignments/automanage changetracking solution assignment | Monitors the Solution and ensures the workspace is linked | General | Automanage solutions policy |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | DefaultResourceGroup-SCUS | Microsoft.OperationsManagement/solutions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationsmanagement/solutions/vminsights(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus) | vminsights(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus) | | | | | | | | | | Automanage solutions policy | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage solutions policy | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationsManagement/solutions/VMInsights(DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUS) | | tbd | Automanage VMInsights solution assignment | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationsmanagement/solutions/vminsights(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus)/providers/microsoft.authorization/policyassignments/automanage vminsights solution assignment | Monitors the Solution and ensures the workspace is linked | General | Automanage solutions policy |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | DefaultResourceGroup-SCUS | Microsoft.Automation/automationAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.automation/automationaccounts/automate-1d81cec7-7ded-4731-884e-90c5aa59c622-scus | automate-1d81cec7-7ded-4731-884e-90c5aa59c622-scus | | | | | | | | | | Automanage automation account policy | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage automation account policy | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.Automation/automationAccounts/Automate-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUS | | tbd | Automanage automation account assignment | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.automation/automationaccounts/automate-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/providers/microsoft.authorization/policyassignments/automanage automation account assignment | Monitors the Automation Account and ensures the location and name don't change | General | Automanage automation account policy |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | defaultresourcegroup-scus | Microsoft.OperationalInsights/workspaces/linkedservices | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/linkedservices/automation | automation | | | | | | | | | | Automanage workspace policy | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage workspace policy | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUS | | tbd | Automanage workspace assignment | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/providers/microsoft.authorization/policyassignments/automanage workspace assignment | Monitors workspace and ensures the automation account is linked | General | Automanage workspace policy |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | defaultresourcegroup-scus | Microsoft.OperationalInsights/workspaces/linkedservices | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/linkedservices/security | security | | | | | | | | | | Automanage workspace policy | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage workspace policy | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUS | | tbd | Automanage workspace assignment | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/providers/microsoft.authorization/policyassignments/automanage workspace assignment | Monitors workspace and ensures the automation account is linked | General | Automanage workspace policy |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | EDA-HFSS-Opt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackup | edahfssoptbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | gmdata | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackup | gmstoragbackup | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytesting | singularitytesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublic | singularitytestingpublic | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytesting | singularitytesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet | intel_eda-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet | intel_eda-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet | intel_eda-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet | intel_eda-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytesting | singularitytesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublic | singularitytestingpublic | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublic | singularitytestingpublic | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublic | singularitytestingpublic | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublic | singularitytestingpublic | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytesting | singularitytesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet | intel_eda-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytesting | singularitytesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytesting | singularitytesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublic | singularitytestingpublic | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet/subnets/sn-hpccache | sn-hpccache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2 | gbbedawestus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet/subnets/sn-anf | sn-anf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2 | pocintelkvv2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA_West3 | Microsoft.Compute/virtualMachines/extensions | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Intel_EDA_West3 | Microsoft.Compute/virtualMachines/extensions | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.network/virtualnetworks/intel_eda_west3-vnet | intel_eda_west3-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.network/virtualnetworks/intel_eda_west3-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.network/virtualnetworks/intel_eda_west3-vnet | intel_eda_west3-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.network/virtualnetworks/intel_eda_west3-vnet | intel_eda_west3-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | intel_eda_west3 | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test | west3test | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnet | ja-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnet | ja-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnet | ja-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnet | ja-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnet | ja-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-caehpc | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuild | imagebuild | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JA-CAEHPC | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiag | jacaehpcbootdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanet/subnets/hpccachesn | hpccachesn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanet | jacsanet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanet | jacsanet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanet | jacsanet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanet/subnets/admin | admin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ja-csatraining | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsa | csatrainsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnet | ja-itt-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnet | ja-itt-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnet/subnets/admin | admin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtest | ittcyclecloudtest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnet | ja-itt-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnet | ja-itt-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnet | ja-itt-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump | winjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaitt | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud | ittcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjump | winjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet | regentvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet | regentvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet | regentvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet | regentvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet | regentvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet/subnets/admin | admin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet/subnets/anfsubnet | anfsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023 | cc8233023 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycle | regentcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloud | regentcyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jaregent | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiag | jaregentdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jdtest-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jdtest-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jdtest-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.network/virtualnetworks/jdtest-rg-vnet | jdtest-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jdtest-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.network/virtualnetworks/jdtest-rg-vnet | jdtest-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jdtest-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.network/virtualnetworks/jdtest-rg-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jdtest-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.network/virtualnetworks/jdtest-rg-vnet | jdtest-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting | jdtesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JDTest-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstorage | jdtestingstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.DBforMariaDB/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdb | uclaslurmacctgdb | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffect | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | /providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.DBforMariaDB/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdb | uclaslurmacctgdb | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | /providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MariaDB |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vulnerabilityassessmentonservermonitoring | ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | /providers/microsoft.authorization/policydefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | SQL | Vulnerability assessment should be enabled on your SQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | sqlserversshouldbeconfiguredwithauditingretentiondaysgreaterthan90daysmonitoringeffect | 89099bee-89e0-4b26-a5f4-165451757743 | /providers/microsoft.authorization/policydefinitions/89099bee-89e0-4b26-a5f4-165451757743 | azure_security_benchmark_v3.0_lt-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | SQL | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vulnerabilityassessmentonservermonitoring | ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | /providers/microsoft.authorization/policydefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | SQL | Vulnerability assessment should be enabled on your SQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.DBforMariaDB/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdb | uclaslurmacctgdb | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | /providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MariaDB |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | sqldbvulnerabilityassesmentmonitoring | feedbf84-6b99-488c-acc2-71c829aa5ffc | /providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Security Center | SQL databases should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | sqlserverauditingmonitoring | a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | SQL | Auditing on SQL server should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.DBforMariaDB/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdb | uclaslurmacctgdb | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformariadbserversmonitoringeffect | 0a1302fb-a631-4106-9753-f3d494733990 | /providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.DBforMariaDB/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdb | uclaslurmacctgdb | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformariadbserversmonitoringeffect | 0a1302fb-a631-4106-9753-f3d494733990 | /providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-rg-vnet | jemorey-scus-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnet | jemorey-scus-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-rg-vnet | jemorey-scus-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | sqlserveradvanceddatasecuritymonitoring | abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | /providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit SQL servers without Advanced Data Security | SQL | Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnet | jemorey-scus-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.DBforMariaDB/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdb | uclaslurmacctgdb | 1.0.1 | | | e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | /providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | security center | | 1.0.1 | deployadvancedthreatprotectiononazuredatabaseformariadbserver | a6cf7411-da9e-49e2-aec0-cba0250eaf8c | /providers/microsoft.authorization/policydefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8c | | tbd | deployifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | OpenSourceRelationalDatabasesProtectionSecurityCenter | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenter | Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | SQL | Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | sqlserversshouldbeconfiguredwithauditingretentiondaysgreaterthan90daysmonitoringeffect | 89099bee-89e0-4b26-a5f4-165451757743 | /providers/microsoft.authorization/policydefinitions/89099bee-89e0-4b26-a5f4-165451757743 | azure_security_benchmark_v3.0_lt-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | SQL | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.DBforMariaDB/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdb | uclaslurmacctgdb | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffect | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | /providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | /providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | SQL | Public network access on Azure SQL Database should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | aadauthenticationinsqlservermonitoring | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | /providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 | azure_security_benchmark_v3.0_im-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | SQL | An Azure Active Directory administrator should be provisioned for SQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | sqlserveradvanceddatasecuritymonitoring | abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | /providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit SQL servers without Advanced Data Security | SQL | Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-rg-vnet | jemorey-scus-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect | 7698e800-9299-47a6-b3b6-5a0fee576eed | /providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | SQL | Private endpoint connections on Azure SQL Database should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnet | jemorey-scus-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 3.0.0 | | | 9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | /providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | security center | | 2.1.0 | deploythreatdetectiononsqlservers | 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | /providers/microsoft.authorization/policydefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | | tbd | deployifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | DataProtectionSecurityCenter | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenter | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | SQL | Configure Azure Defender to be enabled on SQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnet/subnets/jmgbb-hpcc-scus-sn | jmgbb-hpcc-scus-sn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnet/subnets/jm-gbb-anf-scus-sn | jm-gbb-anf-scus-sn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnet/subnets/jemorey-compute-sn | jemorey-compute-sn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Sql/servers | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacct | jmorey-sacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | sqlserverauditingmonitoring | a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | /providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | SQL | Auditing on SQL server should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jemorey-scus-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-rg-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-acr-eus-rg | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreus | jmacreus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-acr-eus-rg | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreus | jmacreus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-acr-eus-rg | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreus | jmacreus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-acr-eus-rg | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreus | jmacreus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-acr-eus-rg | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreus | jmacreus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-acr-eus-rg | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreus | jmacreus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | azurekubernetesserviceclustersshouldhavesecurityprofileenabled | a1840de2-8088-4ea8-b153-b4c723e9cb01 | /providers/microsoft.authorization/policydefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Kubernetes | Azure Kubernetes Service clusters should have Defender profile enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | diagnosticslogsinkubernetesmonitoring | 245fc9df-fa96-4414-9a0b-3738c2f7341c | /providers/microsoft.authorization/policydefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | Kubernetes | Resource logs in Azure Kubernetes Service should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | diagnosticslogsinkubernetesmonitoring | 245fc9df-fa96-4414-9a0b-3738c2f7341c | /providers/microsoft.authorization/policydefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c | | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | Kubernetes | Resource logs in Azure Kubernetes Service should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | azurepolicyaddonstatus | 0a15ec92-a229-4763-bb14-0ea34a568f8d | /providers/microsoft.authorization/policydefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d | azure_security_benchmark_v3.0_pv-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Kubernetes | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | kubernetesrunningimagesvulnerabilityassessment | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | /providers/microsoft.authorization/policydefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Running container images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | azurekubernetesserviceclustersshouldhavesecurityprofileenabled | a1840de2-8088-4ea8-b153-b4c723e9cb01 | /providers/microsoft.authorization/policydefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Kubernetes | Azure Kubernetes Service clusters should have Defender profile enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | kubernetesservicerbacenabledmonitoring | ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | /providers/microsoft.authorization/policydefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Security Center | Role-Based Access Control (RBAC) should be used on Kubernetes Services |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | kubernetesserviceauthorizediprangesenabledmonitoring | 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea | /providers/microsoft.authorization/policydefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Security Center | Authorized IP ranges should be defined on Kubernetes Services |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | kubernetesserviceauthorizediprangesenabledmonitoring | 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea | /providers/microsoft.authorization/policydefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Security Center | Authorized IP ranges should be defined on Kubernetes Services |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | kubernetesservicerbacenabledmonitoring | ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | /providers/microsoft.authorization/policydefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Security Center | Role-Based Access Control (RBAC) should be used on Kubernetes Services |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | kubernetesrunningimagesvulnerabilityassessment | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | /providers/microsoft.authorization/policydefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Running container images should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-aks-rg | Microsoft.ContainerService/managedClusters | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmakscluster | jmakscluster | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | azurepolicyaddonstatus | 0a15ec92-a229-4763-bb14-0ea34a568f8d | /providers/microsoft.authorization/policydefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d | azure_security_benchmark_v3.0_pv-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Kubernetes | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1 | lustre-oss-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood | robinhood | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0 | lustre-oss-0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EUS-WKG-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet | jm-azhop-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.DBforMySQL/servers | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08 | azhop-2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | enforcesslconnectionshouldbeenabledformysqldatabaseserversmonitoringeffect | e802a67a-daf5-4436-9ea6-f6d821dd0c5d | /providers/microsoft.authorization/policydefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | SQL | Enforce SSL connection should be enabled for MySQL database servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet | jm-azhop-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.DBforMySQL/servers | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08 | azhop-2m19zo08 | 1.0.1 | | | e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | /providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | security center | | 1.0.1 | deployatponazuredatabaseformysqlserver | 80ed5239-4122-41ed-b54a-6f1fa7552816 | /providers/microsoft.authorization/policydefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816 | | tbd | deployifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | OpenSourceRelationalDatabasesProtectionSecurityCenter | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenter | Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | SQL | Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08 | azhop-2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformysqlserversmonitoringeffect | 7595c971-233d-4bcf-bd18-596129188c49 | /providers/microsoft.authorization/policydefinitions/7595c971-233d-4bcf-bd18-596129188c49 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet | jm-azhop-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/netapp | netapp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/frontend | frontend | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/admin | admin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet | jm-azhop-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet | jm-azhop-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08 | azhop-2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformysqlserversmonitoringeffect | d9844e8a-1437-4aeb-a32c-0c992f056095 | /providers/microsoft.authorization/policydefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.DBforMySQL/servers | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08 | azhop-2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | enforcesslconnectionshouldbeenabledformysqldatabaseserversmonitoringeffect | e802a67a-daf5-4436-9ea6-f6d821dd0c5d | /providers/microsoft.authorization/policydefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | SQL | Enforce SSL connection should be enabled for MySQL database servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08 | azhop-2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformysqlmonitoringeffect | 82339799-d096-41ae-8538-b108becf0970 | /providers/microsoft.authorization/policydefinitions/82339799-d096-41ae-8538-b108becf0970 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MySQL |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08 | azhop-2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformysqlserversmonitoringeffect | d9844e8a-1437-4aeb-a32c-0c992f056095 | /providers/microsoft.authorization/policydefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08 | azhop-2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformysqlserversmonitoringeffect | 7595c971-233d-4bcf-bd18-596129188c49 | /providers/microsoft.authorization/policydefinitions/7595c971-233d-4bcf-bd18-596129188c49 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08 | azhop-2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformysqlmonitoringeffect | 82339799-d096-41ae-8538-b108becf0970 | /providers/microsoft.authorization/policydefinitions/82339799-d096-41ae-8538-b108becf0970 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MySQL |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08 | azhop2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-eus-wkg-rg | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08 | kv2m19zo08 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet | jm-azhop-existing-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet | jm-azhop-existing-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/admin | admin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/frontend | frontend | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/netapp | netapp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet | jm-azhop-existing-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet | jm-azhop-existing-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet | jm-azhop-existing-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseus | jmazhopnfseus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox | jumpbox | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifa | azhopsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifa | kvsryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifa | azhop-sryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformysqlserversmonitoringeffect | d9844e8a-1437-4aeb-a32c-0c992f056095 | /providers/microsoft.authorization/policydefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifa | azhop-sryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformysqlmonitoringeffect | 82339799-d096-41ae-8538-b108becf0970 | /providers/microsoft.authorization/policydefinitions/82339799-d096-41ae-8538-b108becf0970 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MySQL |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.DBforMySQL/servers | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifa | azhop-sryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | enforcesslconnectionshouldbeenabledformysqldatabaseserversmonitoringeffect | e802a67a-daf5-4436-9ea6-f6d821dd0c5d | /providers/microsoft.authorization/policydefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | SQL | Enforce SSL connection should be enabled for MySQL database servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal | ccportal | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifa | azhop-sryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformysqlserversmonitoringeffect | d9844e8a-1437-4aeb-a32c-0c992f056095 | /providers/microsoft.authorization/policydefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.DBforMySQL/servers | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifa | azhop-sryejifa | 1.0.1 | | | e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | /providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | security center | | 1.0.1 | deployatponazuredatabaseformysqlserver | 80ed5239-4122-41ed-b54a-6f1fa7552816 | /providers/microsoft.authorization/policydefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816 | | tbd | deployifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | OpenSourceRelationalDatabasesProtectionSecurityCenter | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenter | Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | SQL | Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifa | azhop-sryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformysqlserversmonitoringeffect | 7595c971-233d-4bcf-bd18-596129188c49 | /providers/microsoft.authorization/policydefinitions/7595c971-233d-4bcf-bd18-596129188c49 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-EXISTINGSUBNET | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler | scheduler | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifa | azhop-sryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformysqlserversmonitoringeffect | 7595c971-233d-4bcf-bd18-596129188c49 | /providers/microsoft.authorization/policydefinitions/7595c971-233d-4bcf-bd18-596129188c49 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MySQL servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand | ondemand | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.DBforMySQL/servers | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifa | azhop-sryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | enforcesslconnectionshouldbeenabledformysqldatabaseserversmonitoringeffect | e802a67a-daf5-4436-9ea6-f6d821dd0c5d | /providers/microsoft.authorization/policydefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | SQL | Enforce SSL connection should be enabled for MySQL database servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana | grafana | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.DBforMySQL/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifa | azhop-sryejifa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformysqlmonitoringeffect | 82339799-d096-41ae-8538-b108becf0970 | /providers/microsoft.authorization/policydefinitions/82339799-d096-41ae-8538-b108becf0970 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MySQL |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-existingsubnet | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole | guacamole | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-rg-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet | hpcvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-rg-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/ad | ad | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-rg-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/admin | admin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-rg-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-rg-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/frontend | frontend | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-rg-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/gatewaysubnet | gatewaysubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-rg-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/netapp | netapp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-AZHOP-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus | jm-azhop-deployer-vm-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-rg-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet | hpcvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-azhop-rg-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet | hpcvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.VirtualMachineImages/imageTemplates | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/relionimagetemplateforsig02 | relionimagetemplateforsig02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect | 2154edb9-244f-4741-9970-660785bccdaa | /providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaa | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | VM Image Builder | VM Image Builder templates should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.VirtualMachineImages/imageTemplates | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/relionimagetemplateforsig03 | relionimagetemplateforsig03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect | 2154edb9-244f-4741-9970-660785bccdaa | /providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaa | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | VM Image Builder | VM Image Builder templates should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.VirtualMachineImages/imageTemplates | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/helloimagetemplateforsig01 | helloimagetemplateforsig01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect | 2154edb9-244f-4741-9970-660785bccdaa | /providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaa | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | VM Image Builder | VM Image Builder templates should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.VirtualMachineImages/imageTemplates | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/helloimagetemplateforsig01 | helloimagetemplateforsig01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect | 2154edb9-244f-4741-9970-660785bccdaa | /providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaa | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | VM Image Builder | VM Image Builder templates should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.VirtualMachineImages/imageTemplates | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/relionimagetemplateforsig02 | relionimagetemplateforsig02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect | 2154edb9-244f-4741-9970-660785bccdaa | /providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaa | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | VM Image Builder | VM Image Builder templates should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Batch/batchAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.batch/batchaccounts/jmgbbbatch2eus | jmgbbbatch2eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Batch/batchAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.batch/batchaccounts/jmgbbbatch2eus | jmgbbbatch2eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.network/virtualnetworks/jm-batch-eus-gbb-rg-vnet | jm-batch-eus-gbb-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.network/virtualnetworks/jm-batch-eus-gbb-rg-vnet | jm-batch-eus-gbb-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.network/virtualnetworks/jm-batch-eus-gbb-rg-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.network/virtualnetworks/jm-batch-eus-gbb-rg-vnet | jm-batch-eus-gbb-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.VirtualMachineImages/imageTemplates | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/relionimagetemplateforsig03 | relionimagetemplateforsig03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect | 2154edb9-244f-4741-9970-660785bccdaa | /providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaa | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | VM Image Builder | VM Image Builder templates should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssa | jmgbbbootdiagssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-eus-gbb-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsa | jmgbbbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-batch-rg-scus | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkv | dragenkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Batch/batchAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.batch/batchaccounts/batchaceastus | batchaceastus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Batch/batchAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.batch/batchaccounts/batchaceastus | batchaceastus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.network/virtualnetworks/batchaceastus-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.network/virtualnetworks/batchaceastus-vnet | batchaceastus-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.network/virtualnetworks/batchaceastus-vnet | batchaceastus-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.network/virtualnetworks/batchaceastus-vnet | batchaceastus-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-eventbatch-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsa | eventhpcsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnet | vm-for-imagevnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnet | vm-for-imagevnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnet/subnets/jmcmkadeanfsn | jmcmkadeanfsn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnet/subnets/vm-for-imagesubnet | vm-for-imagesubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnet | vm-for-imagevnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | | | | | | | | 3.0.0 | | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | /providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0 | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eus | | tbd | 18c883224132411a8a33bf42 | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42 | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Compute | OS and data disks should be encrypted with a customer-managed key |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesa | jmcmkadesa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/disks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/disks/jm-cmkade-cc-vm_osdisk_1_9e89b45cf2d0455abcc2f0a4a27a5d41 | jm-cmkade-cc-vm_osdisk_1_9e89b45cf2d0455abcc2f0a4a27a5d41 | | | | | | | | 3.0.0 | | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | /providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0 | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eus | | tbd | 18c883224132411a8a33bf42 | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42 | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Compute | OS and data disks should be encrypted with a customer-managed key |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/disks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/disks/jm-cmkade-cc-vm_lun_0_2_97d5ad262d9c44c1a3c3a2f44b16ee0b | jm-cmkade-cc-vm_lun_0_2_97d5ad262d9c44c1a3c3a2f44b16ee0b | | | | | | | | 3.0.0 | | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | /providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0 | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eus | | tbd | 18c883224132411a8a33bf42 | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42 | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Compute | OS and data disks should be encrypted with a customer-managed key |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/galleries/images/versions | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/galleries/jmcmeadeacgeus/images/testcmkadeimage/versions/1.0.0 | 1.0.0 | | | | | | | | 3.0.0 | | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | /providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0 | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eus | | tbd | 18c883224132411a8a33bf42 | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42 | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Compute | OS and data disks should be encrypted with a customer-managed key |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/galleries/images/versions | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/galleries/jmcmeadeacgeus/images/testcmkadeimage/versions/1.0.1 | 1.0.1 | | | | | | | | 3.0.0 | | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | /providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0 | | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eus | | tbd | 18c883224132411a8a33bf42 | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42 | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Compute | OS and data disks should be encrypted with a customer-managed key |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-ade-cmk-eus | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskv | jmcmeadeeuskv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | keysexpirationset | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | /providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Key Vault | Key Vault keys should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JMGBB-CC-ADE-CMK-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm | jm-cmkade-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eus | jm-cc-multiregion-vnet-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-scus/subnets/cc-compute-scus-sn | cc-compute-scus-sn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-scus | jm-cc-multiregion-vnet-scus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eus | jm-cc-multiregion-vnet-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eus | jm-cc-multiregion-vnet-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eus | jm-cc-multiregion-vnet-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eus | jm-cc-multiregion-vnet-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-scus | jm-cc-multiregion-vnet-scus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-scus | jm-cc-multiregion-vnet-scus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-cc-multiregion-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eus/subnets/cc-compute-eus-sn | cc-compute-eus-sn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-CycleSvr-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiag | jmgbbcyclesvrrgdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.network/virtualnetworks/eplusvnet | eplusvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.network/virtualnetworks/eplusvnet | eplusvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.network/virtualnetworks/eplusvnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.network/virtualnetworks/eplusvnet | eplusvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Batch/batchAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.batch/batchaccounts/jmgbbenergyplusbatch | jmgbbenergyplusbatch | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Batch/batchAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.batch/batchaccounts/jmgbbenergyplusbatch | jmgbbenergyplusbatch | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussa | jmgbbenergyplussa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-energyplus-batch-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkv | jmgbbenergyplusbatchkv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-eus-kv | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kv | jm-gbb-eus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-eventgrid-topic | Microsoft.EventHub/namespaces | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-eventgrid-topic/providers/microsoft.eventhub/namespaces/jmgbb-eventhub | jmgbb-eventhub | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsineventhubmonitoring | 83a214f7-d01a-484b-91a9-ed54470c9a6a | /providers/microsoft.authorization/policydefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Event Hub | Resource logs in Event Hub should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-eventgrid-topic | Microsoft.EventHub/namespaces | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-eventgrid-topic/providers/microsoft.eventhub/namespaces/jmgbb-eventhub | jmgbb-eventhub | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsineventhubmonitoring | 83a214f7-d01a-484b-91a9-ed54470c9a6a | /providers/microsoft.authorization/policydefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Event Hub | Resource logs in Event Hub should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-eventgrid-topic | Microsoft.EventGrid/topics | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-eventgrid-topic/providers/microsoft.eventgrid/topics/jm-cycle-eventgridtopic | jm-cycle-eventgridtopic | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | azureeventgridtopicsshoulduseprivatelinkmonitoringeffect | 4b90e17e-8448-49db-875e-bd83fb6f804f | /providers/microsoft.authorization/policydefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Event Grid | Azure Event Grid topics should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-eventgrid-topic | Microsoft.EventGrid/topics | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-eventgrid-topic/providers/microsoft.eventgrid/topics/jm-cycle-eventgridtopic | jm-cycle-eventgridtopic | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | azureeventgridtopicsshoulduseprivatelinkmonitoringeffect | 4b90e17e-8448-49db-875e-bd83fb6f804f | /providers/microsoft.authorization/policydefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Event Grid | Azure Event Grid topics should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.MachineLearningServices/workspaces | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.machinelearningservices/workspaces/jmgbb-mlworkspace-eus-ml | jmgbb-mlworkspace-eus-ml | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.MachineLearningServices/workspaces | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.machinelearningservices/workspaces/jmgbb-mlworkspace-eus-ml | jmgbb-mlworkspace-eus-ml | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-mlworkspace-eus-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504 | jmgbbmlworkspa0740614504 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.EventHub/namespaces | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.eventhub/namespaces/atlas-a6bcfe6a-1425-4cb8-86d7-304512290217 | atlas-a6bcfe6a-1425-4cb8-86d7-304512290217 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsineventhubmonitoring | 83a214f7-d01a-484b-91a9-ed54470c9a6a | /providers/microsoft.authorization/policydefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Event Hub | Resource logs in Event Hub should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.EventHub/namespaces | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.eventhub/namespaces/atlas-a6bcfe6a-1425-4cb8-86d7-304512290217 | atlas-a6bcfe6a-1425-4cb8-86d7-304512290217 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsineventhubmonitoring | 83a214f7-d01a-484b-91a9-ed54470c9a6a | /providers/microsoft.authorization/policydefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Event Hub | Resource logs in Event Hub should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-purview-eus-managed-rg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubs | scaneastuslsucubs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.network/virtualnetworks/jm-gbb-services-rg-vnet | jm-gbb-services-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.network/virtualnetworks/jm-gbb-services-rg-vnet | jm-gbb-services-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.network/virtualnetworks/jm-gbb-services-rg-vnet | jm-gbb-services-rg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kv | jm-gbb-scus-kv | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.network/virtualnetworks/jm-gbb-services-rg-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-GBB-SERVICES-RG | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat | jm-gbb-cc-ucla-tomcat | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-gbb-services-rg | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnet | jmgbb-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnet | jmgbb-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnet/subnets/jmgbb-anf-sn | jmgbb-anf-sn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnet/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnet | jmgbb-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnet | jmgbb-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sa | jmgbbus2sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnet | jmgbb-wus2-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2 | jmgbbxnfssawus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmgbb-wus2-rg | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm | jmgbb-lsf-master-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-EUS-RG | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-eus-rg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-LUSTREFS-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-lustrefs-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeus | jmslurmacctdbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | /providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MariaDB |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet | jmnfsvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsrg-vnet | jmnfsrg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeus | jmslurmacctdbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformariadbserversmonitoringeffect | 0a1302fb-a631-4106-9753-f3d494733990 | /providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeus | jmslurmacctdbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformariadbserversmonitoringeffect | 0a1302fb-a631-4106-9753-f3d494733990 | /providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeus | jmslurmacctdbeus | 1.0.1 | | | e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | /providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | security center | | 1.0.1 | deployadvancedthreatprotectiononazuredatabaseformariadbserver | a6cf7411-da9e-49e2-aec0-cba0250eaf8c | /providers/microsoft.authorization/policydefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8c | | tbd | deployifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | OpenSourceRelationalDatabasesProtectionSecurityCenter | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenter | Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | SQL | Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeus | jmgbbmariadbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformariadbserversmonitoringeffect | 0a1302fb-a631-4106-9753-f3d494733990 | /providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeus | jmslurmacctdbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffect | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | /providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeus | jmslurmacctdbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffect | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | /providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeus | jmslurmacctdbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | /providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MariaDB |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeus | jmgbbmariadbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | privateendpointshouldbeenabledformariadbserversmonitoringeffect | 0a1302fb-a631-4106-9753-f3d494733990 | /providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | SQL | Private endpoint should be enabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeus | jmgbbmariadbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffect | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | /providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeus | jmgbbmariadbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | /providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MariaDB |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeus | jmgbbmariadbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffect | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | /providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | SQL | Public network access should be disabled for MariaDB servers |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.DBforMariaDB/servers | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeus | jmgbbmariadbeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | /providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | SQL | Geo-redundant backup should be enabled for Azure Database for MariaDB |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsrg-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet/subnets/jm-gbb-anf-eus-sn | jm-gbb-anf-eus-sn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet/subnets/jmnfssn | jmnfssn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsa | jmnfsblobsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstorage | jmgpstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessa | jmnfsfilessa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsrg-vnet | jmnfsrg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet | jmnfsvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet | jmnfsvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsrg-vnet | jmnfsrg-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet | jmnfsvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet | jmnfsvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet/subnets/jm-vfxt-sn | jm-vfxt-sn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet/subnets/jm-gbb-batch-eus-sn | jm-gbb-batch-eus-sn | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmNfsRg | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeus | jmgbbxnfsblobeus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm | slurm-image-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jmnfsrg | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vm | jm-centos79-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Batch/batchAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.batch/batchaccounts/jmnftowermh | jmnftowermh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Batch/batchAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.batch/batchaccounts/jmnftowermh | jmnftowermh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-nftower-microhack-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsa | jmnftowermhsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus | jm-pure-dragen-vnet-scus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus | jm-pure-dragen-vnet-scus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus | jm-pure-dragen-vnet-scus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus | jm-pure-dragen-vnet-scus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus/subnets/gatewaysubnet | gatewaysubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus/subnets/jm-dragen-anf | jm-dragen-anf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-pure-dragen-rg-scus | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus | jm-pure-dragen-vnet-scus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresa | jmcyclepuresa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-Pure-DRAGEN-rg-scus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssa | jmpureblobnfssa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-PURE-DRAGEN-RG-SCUS | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm | jm-pure-cc-vm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfux | scheduler-ha-pmldpwdpfvfux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgph | login-dx543m3hpjgph | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGR | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj | scheduler-gyygkmzvgjrtgllegizweljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstorage | jmfcccstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-temple-fccc-rg-eus | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf | scheduler-gfsdcoddmvrtoljygazgiljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | JM-TEMPLE-FCCC-RG-EUS | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus | jm-fccc-cc-eus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzcln | f2-iqgcslkkwzcln | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGY | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi | scheduler-mjrdky3dgq3taljvheztoljugi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-vnet-peering-rg-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-2/subnets/mysubnet | mysubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-vnet-peering-rg-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-1 | vnet-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-vnet-peering-rg-eus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-1/subnets/mysubnet | mysubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-vnet-peering-rg-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-2 | vnet-2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-vnet-peering-rg-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-1 | vnet-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-vnet-peering-rg-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-1 | vnet-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-vnet-peering-rg-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-2 | vnet-2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | jm-vnet-peering-rg-eus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-2 | vnet-2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | KA-Batch | Microsoft.Batch/batchAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ka-batch/providers/microsoft.batch/batchaccounts/batchmove | batchmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | KA-Batch | Microsoft.Batch/batchAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ka-batch/providers/microsoft.batch/batchaccounts/batchmove | batchmove | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmcc8testsa | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsa | jmcc8testsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmgbbmh21sa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sa | jmgbbmh21sa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmstoragescus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescus | jmstoragescus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-jmuclatomcatsa | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsa | jmuclatomcatsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Locker-requapurestoragewestus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestus | requapurestoragewestus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.network/virtualnetworks/aks-vnet-14699579 | aks-vnet-14699579 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.network/virtualnetworks/aks-vnet-14699579 | aks-vnet-14699579 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.network/virtualnetworks/aks-vnet-14699579 | aks-vnet-14699579 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.network/virtualnetworks/aks-vnet-14699579/subnets/aks-subnet | aks-subnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | mc_jm-aks-rg_jmakscluster_eastus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9 | fuse7876be4ce5e14ea3be9 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | MC_jm-aks-rg_jmAKSCluster_eastus | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmss | aks-nodepool1-14699579-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingle | azcvosingle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphost | rhel7-9-jumphost | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test | cvo-vm-test | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp | 32chvhfcekz7wdp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse | 4rdjayuqsobbyse | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9r | bfo5hnufuiola9r | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uaz | yxv9pnwrsse4uaz | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etm | d0vulmraehl8etm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachineScaleSets | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmss | azure-cvo-rhel-7-9-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxt | ql9a0siq6yvhhxt | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21 | ezphyxrsztuak21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdf | svfoswiwuwgxmdf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gim | rootsavugz4gim | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5ii | wqf1xfablntb5ii | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiag | nnetappcvodiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2 | azcvohaclus-vm2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost | azure-cvo-jumphost | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet/subnets/cvo | cvo | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet | cvo-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet | cvo-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet | cvo-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet | cvo-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nnetapp_cvo | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet | cvo-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02 | azcvo-cloudcon02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | nNetapp_CVO | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1 | azcvohaclus-vm1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines/extensions | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines/extensions | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines/extensions | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines/extensions | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet | pandb-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Network/virtualNetworks | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet | pandb-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Network/virtualNetworks | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet | pandb-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet/subnets/sn-compute | sn-compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet | pandb-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.KeyVault/vaults | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01 | pinkykeyvault01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Network/virtualNetworks | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet | pandb-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransfer | pinkyandthebraintransfer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrc | pinkyandthebrainsrc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01 | pb-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Storage/storageAccounts | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiag | pinkyandthebraindiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pinkyandthebrain | Microsoft.Compute/virtualMachines | tbd | westus3 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01 | pb-spillbox01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pure | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet | pure-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pure | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet | pure-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pure | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet | pure-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898 | purediag898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pure | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/azpranfsub | azpranfsub | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pure | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pure | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pure | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/gatewaysubnet | gatewaysubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | pure | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/sn-storage | sn-storage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Pure | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacct | purenfsblobacct | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestore | razafscyclestore | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiag | razazafspoceastdiag | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet | afs-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet/subnets/sn-compute | sn-compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet/subnets/sn-anf | sn-anf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet | afs-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet | afs-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet | afs-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet | afs-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01 | razaz-winjump01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga | scheduler-ga3dcobyg4ydkllfmq4dmljuga | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-afs-poc-east | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01 | raz-afslic01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | razaz-AFS-POC-East | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82 | raz-cyclecloud82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus | vnet-hpc-southcentralus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus | vnet-hpc-southcentralus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/user | user | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/visualization | visualization | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/hpc-cache | hpc-cache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/frontend | frontend | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/cyclecloud | cyclecloud | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus | vnet-hpc-southcentralus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/anf | anf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus | vnet-hpc-southcentralus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus | vnet-hpc-southcentralus | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3 | sacyclecloudlab3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/compute | compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | RG-MARCUSGA-HPC1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3 | vm-cyclecloud3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm | server-muztmmlfg5stqllcmi4taljugm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | rg-marcusga-hpc1 | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1 | vm-hbv2-imageprep-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | Site-Recovery-vault-eastus | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcache | jlnfajsiterecovasrcache | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SNPS-StorageTest | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsa | snpssftpsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnet | batchfunctionvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnet/subnets/batchnodes | batchnodes | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnet | batchfunctionvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Batch/batchAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.batch/batchaccounts/nggmdemo | nggmdemo | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnet | batchfunctionvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnet | batchfunctionvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Batch/batchAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.batch/batchaccounts/nggmdemo | nggmdemo | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinbatchaccountmonitoring | 428256e6-1fac-4f48-a757-df34c2b3336d | /providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336d | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Batch | Resource logs in Batch accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsa | srnggmbatchsa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | sr-batchfunction | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnet | batchfunctionvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | srwestus2 | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet | srwestus2vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stellantisrfq | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnet | stellantisrfq-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stellantisrfq | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnet | stellantisrfq-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stellantisrfq | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnet | stellantisrfq-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stellantisrfq | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stellantisrfq | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnet/subnets/netapp | netapp | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | StellantisRFQ | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscycle | stellantiscycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stellantisrfq | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnet | stellantisrfq-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stellantisrfq | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnet | stellantisrfq-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet | wrf_vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet | wrf_vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet/subnets/anf | anf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet/subnets/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet | wrf_vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet | wrf_vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Network/virtualNetworks | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet | wrf_vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.KeyVault/vaults | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keys | steve-bastion-keys | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | | | 1.0.2 | secretsexpirationset | 98728c90-32c7-4049-8429-847dc0f4fe37 | /providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Key Vault | Key Vault secrets should have an expiration date |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsm | srscwrflustrehsm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstorage | cmaqcifsstorage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcycle | srscwrfcycle | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82locker | srcycle82locker | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenew | srcyclenew | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfiles | cmaqfiles | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblob | cmaqblob | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstest | srcifstest | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfs | srscwrfblobnfs | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2 | srcyclewsetus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82 | sr-cycle-82 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer | azhop-deployer | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new | sr-cycle-new | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_wrf | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222 | galleryimagetest222 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj | server-mi4dcobymfrgillegrsgeljumj | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver | cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve_WRF | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf | scheduler-mjsdcmtcgm3teljqmnrdcljuhf | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001 | testcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnet | honeywellvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnet/subnets/subnet-1 | subnet-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2 | hpcf4hy3f5xkbud2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnet | honeywellvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvault | gmhpckeyvault | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104 | testcn104 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107 | testcn107 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnet | honeywellvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnet | sandboxvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqy | hpc6tj6f36ptfnqy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2 | hpcn34qa3hcrydl2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnet | honeywellvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnet | sandboxvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnet | sandboxvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnet | honeywellvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105 | cn105 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnet | sandboxvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72 | hpckmdt332nbah72 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin | stevegmwin | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58 | stevegmwin9c58 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnet/subnets/subnet-1 | subnet-1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Network/virtualNetworks | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnet | sandboxvnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc | addc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100 | cn100 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode | adheadnode | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000 | testcn000 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001 | linuxcn001 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | SteveGMWin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000 | linuxcn000 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines/extensions | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102 | cn102 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101 | cn101 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | stevegmwin | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103 | cn103 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVEGMWIN | Microsoft.Compute/virtualMachines | tbd | eastus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell | honeywell | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachineScaleSets | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmss | lustre-vmss | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines | tbd | southcentralus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre | lustre | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | steve-lustre | Microsoft.Compute/virtualMachines/extensions | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | STEVE-LUSTRE | Microsoft.Compute/virtualMachines | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh | lustre-rbh | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | test061121 | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/test061121/providers/microsoft.network/virtualnetworks/test061121-vnet | test061121-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | test061121 | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/test061121/providers/microsoft.network/virtualnetworks/test061121-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | test061121 | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/test061121/providers/microsoft.network/virtualnetworks/test061121-vnet | test061121-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | test061121 | Microsoft.Network/virtualNetworks | tbd | eastus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/test061121/providers/microsoft.network/virtualnetworks/test061121-vnet | test061121-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Network/virtualNetworks | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc | 623b7169bfcb010068170821-vcstesting-main-vpc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Network/virtualNetworks | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc | 623b7169bfcb010068170821-vcstesting-main-vpc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc | 623b7169bfcb010068170821-vcstesting-main-vpc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc | 623b7169bfcb010068170821-vcstesting-main-vpc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00 | 623b7169bfcb010068170821-vcstesting-master-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc/subnets/623b7169bfcb010068170821-vcstesting-private | 623b7169bfcb010068170821-vcstesting-private | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc/subnets/623b7169bfcb010068170821-vcstesting-public | 623b7169bfcb010068170821-vcstesting-public | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Network/virtualNetworks | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc | 623b7169bfcb010068170821-vcstesting-main-vpc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstesting | bbfcbvcstesting | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03 | 623b7169bfcb010068170821-vcstesting-worker-03 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01 | ts-license01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04 | 623b7169bfcb010068170821-vcstesting-worker-04 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00 | 623b7169bfcb010068170821-vcstesting-splfs-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02 | 623b7169bfcb010068170821-vcstesting-worker-02 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00 | 623b7169bfcb010068170821-vcstesting-tran-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines/extensions | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01 | 623b7169bfcb010068170821-vcstesting-worker-01 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ts-623b7169bfcb010068170821-vcstesting-rg | Microsoft.Compute/virtualMachines | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00 | 623b7169bfcb010068170821-vcstesting-worker-00 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditlinuxeffect | 04c4380f-3fae-46e8-96c9-30193528f602 | /providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602 | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/ycadence-vnet | ycadence-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2 | cad-vnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/ycadence-vnet | ycadence-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2 | cad-vnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networkwatchershouldbeenabledmonitoringeffect | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | /providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | azure_security_benchmark_v3.0_ir-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Network | Network Watcher should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/ycadence-vnet/subnets/default | default | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks/subnets | tbd | | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2/subnets/sn-storage | sn-storage | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2/subnets/sn-compute | sn-compute | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2/subnets/gatewaysubnet | gatewaysubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks/subnets | tbd | | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2/subnets/azurebastionsubnet | azurebastionsubnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonsubnetsmonitoring | e71308d3-144b-4262-b144-efdc3cc90517 | /providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Security Center | Subnets should be associated with a Network Security Group |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2 | cad-vnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2 | cad-vnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0-preview | azurefirewalleffect | fc5e4038-4584-4632-8c85-c0448d374b2c | /providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Network | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks | tbd | southcentralus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/ycadence-vnet | ycadence-vnet | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Network/virtualNetworks | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2 | cad-vnet2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vnetenableddosprotectionmonitoring | a7aca53f-2ed4-4466-a25e-0b45ade68efd | /providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd | azure_security_benchmark_v3.0_ns-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Security Center | Azure DDoS Protection Standard should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.1.0 | diagnosticslogsinservicefabricmonitoringeffect | 7c1b1214-f927-48bf-8882-84f0af6588b1 | /providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 | azure_security_benchmark_v3.0_lt-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Compute | Resource logs in Virtual Machine Scale Sets should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2 | azypuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.1 | disableunrestrictednetworktostorageaccountmonitoring | 34c877ad-507e-4c82-993e-3452a6e0ad3c | /providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Storage | Storage accounts should restrict network access |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2 | ycadencevoltuswest2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarl | scheduler-7jwnbad4gbarl | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssendpointprotectionmonitoring | 26a828e1-e88f-464e-bbb3-c134a282b9de | /providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Security Center | Endpoint protection solution should be installed on virtual machine scale sets |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmssosvulnerabilitiesmonitoring | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | /providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Security Center | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmssmonitoring | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | /providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Security Center | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachineScaleSets | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfll | ondemand-tjry4hngbvfll | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | vmsssystemupdatesmonitoring | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | /providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Security Center | System updates on virtual machine scale sets should be installed |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-img | ycad-compute-img | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2 | voltusccstorusw2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | /providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | azure_security_benchmark_v3.0_dp-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Guest Configuration | Windows web servers should be configured to use secure communication protocols |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsdefenderexploitguardmonitoring | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | /providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Guest Configuration | Windows Defender Exploit Guard should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr/extensions/azurepolicyforlinux | azurepolicyforlinux | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi | instance-gi4dgnzumntgcljqhe4dkljumi | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | windowsguestconfigbaselinesmonitoring | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | /providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Windows machines should meet requirements of the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 3.0.0 | prerequisite_deployextensionlinux | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | /providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0-preview | systemupdatesv2monitoring | f85bf3e0-d513-442e-89c3-1784ad63382b | /providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Security Center | [Preview]: System updates should be installed on your machines (powered by Update Center) |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 1.2.0 | prerequisite_deployextensionwindows | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | /providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 | | tbd | deployifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver | azyc-cycleserver | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | jitnetworkaccessmonitoring | b0f33259-77d7-4c9e-aac6-3aabcfae693c | /providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Security Center | Management ports of virtual machines should be protected with just-in-time network access control |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsmonitoring | 47a6b606-51aa-4496-8bb7-64b11cf66adc | /providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Security Center | Adaptive application controls for defining safe applications should be enabled on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptiveapplicationcontrolsupdatemonitoring | 123a3936-f020-408a-ba0c-47873faf1534 | /providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534 | azure_security_benchmark_v3.0_am-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Security Center | Allowlist rules in your adaptive application control policy should be updated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsonvirtualmachinesmonitoring | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | /providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | systemconfigurationsmonitoring | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | /providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Security Center | Vulnerabilities in security configuration on your machines should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines/extensions | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump/extensions/azurepolicyforwindows | azurepolicyforwindows | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | gcextonvmwithnosamimonitoring | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | /providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a | System.Object[] | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Security Center | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | gcextonvmmonitoring | ae89ebca-1c92-4898-ac2c-9f63decb045c | /providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Security Center | Guest Configuration extension should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect | 013e242c-8828-4970-87b3-ab247555486d | /providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486d | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Backup | Azure Backup should be enabled for Virtual Machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | networksecuritygroupsoninternalvirtualmachinesmonitoring | bb91dfba-c30d-4263-9add-9c2384e659a6 | /providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Security Center | Non-internet-facing virtual machines should be protected with network security groups |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Exempt | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0 | systemupdatesmonitoring | 86b3d65f-7626-441e-b690-81a8b71cff60 | /providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60 | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Security Center | System updates should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 4.0.0-preview | previewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | /providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Security Center | [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | vtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | /providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | azure_security_benchmark_v3.0_pv-4 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Security Center | [Preview]: vTPM should be enabled on supported virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classiccomputevmsmonitoring | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | /providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Compute | Virtual machines should be migrated to new Azure Resource Manager resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhenuser | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | /providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 1.0.0 | | | 12794019-7a00-42cf-95c2-882eed337cc8 | /providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8 | guest configuration | | 4.0.0 | prerequisite_addsystemidentitywhennone | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | /providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e | | tbd | modify | | /providers/Microsoft.Management/managementGroups/MCAPSCoreNonProd | | tbd | f34f1577286a4f77b5dd107c | /providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107c | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Guest Configuration | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | endpointprotectionhealthissuesmonitoringeffect | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | /providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Security Center | Endpoint protection health issues should be resolved on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0-preview | systemupdatesautoassessmentmode | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | /providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | azure_security_benchmark_v3.0_pv-6 | tbd | audit | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Update Management Center | [Preview]: Machines should be configured to periodically check for missing system updates |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | /providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Guest Configuration | Authentication to Linux machines should require SSH keys |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | endpointprotectionmonitoring | af6cd1bd-1635-48cb-bde7-5b15693900b9 | /providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Security Center | Monitor missing Endpoint Protection in Azure Security Center |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.3 | diskencryptionmonitoring | 0961003e-5a0a-4549-abde-af6a37f2724d | /providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724d | azure_security_benchmark_v3.0_dp-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Security Center | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installendpointprotection | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | /providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | azure_security_benchmark_v3.0_es-2 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Security Center | Endpoint protection should be installed on your machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | nextgenerationfirewallmonitoring | 9daedab3-fb2d-461e-b861-71790eead4f6 | /providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 | azure_security_benchmark_v3.0_ns-1 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Security Center | All network ports should be restricted on network security groups associated to your virtual machine |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | serversqldbvulnerabilityassesmentmonitoring | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | /providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | azure_security_benchmark_v3.0_pv-6 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Security Center | SQL servers on machines should have vulnerability findings resolved |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | adaptivenetworkhardeningsmonitoring | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | /providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Security Center | Adaptive network hardening recommendations should be applied on internet facing virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | restrictaccesstomanagementportsmonitoring | 22730e10-96f6-4aac-ad84-9383d35b5917 | /providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Security Center | Management ports should be closed on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | servervulnerabilityassessment | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | /providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 | azure_security_benchmark_v3.0_pv-5 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Security Center | A vulnerability assessment solution should be enabled on your virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | disableipforwardingmonitoring | bd352bd5-2853-4985-bf0d-73806b4a5744 | /providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 | azure_security_benchmark_v3.0_ns-3 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Security Center | IP Forwarding on your virtual machine should be disabled |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | containerbenchmarkmonitoring | e8cbc669-f12d-49eb-93e7-9273119e9933 | /providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933 | System.Object[] | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Security Center | Vulnerabilities in container security configurations should be remediated |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc | azyc-newimagecc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | linuxguestconfigbaselinesmonitoring | fc9b3da7-8347-4380-8e70-0a0361d8dedd | /providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd | azure_security_benchmark_v3.0_pv-4 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Guest Configuration | Linux machines should meet requirements for the Azure compute security baseline |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | False | NonCompliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump | azyc-windowsjump | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2-preview | ascdependencyagentauditwindowseffect | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | /providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d | azure_security_benchmark_v3.0_lt-4 | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/MCAPSCore | | tbd | Azure_Security_Baseline | /providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baseline | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Monitoring | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
| 1d81cec7-7ded-4731-884e-90c5aa59c622 | ycadence | Microsoft.Compute/virtualMachines | tbd | westus2 | True | Compliant | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr | fileserver-gu4geojsgeygcljzga4tsljugr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | installloganalyticsagentonvmmonitoring | a4fe33eb-e377-4efb-ab31-0784311bc499 | /providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622 | | tbd | SecurityCenterBuiltIn | /subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Security Center | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountmonitoringnew | 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | /providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with read and write permissions on Azure resources should be removed |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforwritepermissionsmonitoringeffect | 931e118d-50a1-4457-a5e4-78550e086c52 | /providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | Accounts with write permissions on Azure resources should be MFA enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | identityenablemfaforwritepermissionsmonitoring | 9297c21d-2ed6-4474-b48f-163f75654ce3 | /providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled for accounts with write permissions on your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountmonitoring | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | /providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts should be removed from your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b2 | 21d96096-b162-414a-8302-d8354f9d91b2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f | 7aff565e-6c55-448d-83db-ccf482c6da2f | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b | 7fd64851-3279-459b-b614-e2b2ba760f5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforreadpermissionsmonitoring | e3576e28-8b17-4677-84c3-db2990658d64 | /providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with read permissions on your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoring | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | /providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts with owner permissions should be removed from your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2 | a48d7896-14b4-4889-afef-fbb65a96e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoringnew | 0cfea604-3201-4e14-88fc-fae4c427a6c5 | /providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5 | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with owner permissions on Azure resources should be removed |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatelessthanownersmonitoring | 4f11b553-d42e-4e3a-89be-32ca364cad4c | /providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | Security Center | A maximum of 3 owners should be designated for your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatemorethanoneownermonitoring | 09024ccc-0c5f-475e-9457-b7c0d9ed487b | /providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | Security Center | There should be more than one owner assigned to your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforownerpermissionsmonitoring | aa633080-8b72-40c4-a2d7-d00c03e80bed | /providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with owner permissions on your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforownerpermissionsmonitoringnew | e3e008c3-56b9-4133-8fd7-d3347377402a | /providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | Accounts with owner permissions on Azure resources should be MFA enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786 | fd1bb084-1503-4bd2-99c0-630220046786 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b5612 | 87d31636-ad85-4caa-802d-1535972b5612 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoringnew | 339353f6-2387-4a45-abe4-7f529d121046 | /providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046 | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with owner permissions on Azure resources should be removed |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoring | f8456c1c-aa66-4dfb-861a-25d127b775c9 | /providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9 | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with owner permissions should be removed from your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforreadpermissionsmonitoringnew | 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | /providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | Accounts with read permissions on Azure resources should be MFA enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | containersadvancedthreatprotectionmonitoringeffect | 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | /providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Security Center | Microsoft Defender for Containers should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2 | a48d7796-14b4-4889-afef-fbb65a93e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoringnew | e9ac8f8e-ce22-4355-8f04-99b911d6be52 | /providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with read permissions on Azure resources should be removed |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | storageaccountsadvanceddatasecuritymonitoringeffect | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | /providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Security Center | Azure Defender for Storage should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoringnew | 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | /providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with write permissions on Azure resources should be removed |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | appservicesadvancedthreatprotectionmonitoringeffect | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | /providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Security Center | Azure Defender for App Service should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect | 475aae12-b88a-4572-8b36-9b712b2b3a17 | /providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | Security Center | Auto provisioning of the Log Analytics agent should be enabled on your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect | 6581d072-105e-4418-827f-bd446d56421b | /providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421b | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for SQL servers on machines should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | keyvaultsadvanceddatasecuritymonitoringeffect | 0e6763cc-5078-4e64-889d-ff4d9a839047 | /providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047 | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Security Center | Azure Defender for Key Vault should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | virtualmachinesadvancedthreatprotectionmonitoringeffect | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | /providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Security Center | Azure Defender for servers should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderfordnsshouldbeenabledmonitoringeffect | bdc59948-5574-49b3-bb91-76b7c986428d | /providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428d | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for DNS should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversadvanceddatasecuritymonitoringeffect | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | /providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for Azure SQL Database servers should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforresourcemanagershouldbeenabledmonitoringeffect | c3d20c29-b36d-48fe-808b-99a87530ad99 | /providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99 | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for Resource Manager should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | /providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Security Center | Email notification for high severity alerts should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | microsoftdefendercspmshouldbeenabledmonitoringeffect | 1f90fc71-a595-4066-8974-d4d0802e8ef0 | /providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0 | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Security Center | Microsoft Defender CSPM should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoring | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | /providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with write permissions should be removed from your subscription |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect | 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | /providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | Security Center | Subscriptions should have a contact email address for security issues |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect | 0b15565f-aa9e-48ba-8619-45960f2c314d | /providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Security Center | Email notification to subscription owner for high severity alerts should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51a | a16c43ca-2d67-4dcd-9ded-6412f5edc51a | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect | 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | /providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | System.Object[] | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Security Center | Azure Defender for open-source relational databases should be enabled |
| 8629be3b-96bc-482d-a04b-ffff597c65a2 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | 8629be3b-96bc-482d-a04b-ffff597c65a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoring | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | /providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2 | | tbd | SecurityCenterBuiltIn | /subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with read permissions should be removed from your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | a7b1b19a-0e83-4fe5-935c-faaefbfd18c3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforreadpermissionsmonitoringnew | 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | /providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | Accounts with read permissions on Azure resources should be MFA enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforownerpermissionsmonitoring | aa633080-8b72-40c4-a2d7-d00c03e80bed | /providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with owner permissions on your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforownerpermissionsmonitoringnew | e3e008c3-56b9-4133-8fd7-d3347377402a | /providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Security Center | Accounts with owner permissions on Azure resources should be MFA enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.1 | identityenablemfaforwritepermissionsmonitoring | 9297c21d-2ed6-4474-b48f-163f75654ce3 | /providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled for accounts with write permissions on your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityenablemfaforwritepermissionsmonitoringeffect | 931e118d-50a1-4457-a5e4-78550e086c52 | /providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Security Center | Accounts with write permissions on Azure resources should be MFA enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2 | a48d7896-14b4-4889-afef-fbb65a96e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityenablemfaforreadpermissionsmonitoring | e3576e28-8b17-4677-84c3-db2990658d64 | /providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64 | azure_security_benchmark_v3.0_im-6 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Security Center | MFA should be enabled on accounts with read permissions on your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | e078ab98-ef3a-4c9a-aba7-12f5172b45d0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/fd6e57ea-fe3c-4f21-bd1e-de170a9a4971 | fd6e57ea-fe3c-4f21-bd1e-de170a9a4971 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoring | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | /providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with write permissions should be removed from your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoringnew | 339353f6-2387-4a45-abe4-7f529d121046 | /providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with owner permissions on Azure resources should be removed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithwritepermissionsmonitoringnew | 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | /providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with write permissions on Azure resources should be removed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoring | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | /providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts with owner permissions should be removed from your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithownerpermissionsmonitoring | f8456c1c-aa66-4dfb-861a-25d127b775c9 | /providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with owner permissions should be removed from your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountwithownerpermissionsmonitoringnew | 0cfea604-3201-4e14-88fc-fae4c427a6c5 | /providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with owner permissions on Azure resources should be removed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoring | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | /providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | External accounts with read permissions should be removed from your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremoveexternalaccountwithreadpermissionsmonitoringnew | e9ac8f8e-ce22-4355-8f04-99b911d6be52 | /providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Security Center | Guest accounts with read permissions on Azure resources should be removed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | keyvaultsadvanceddatasecuritymonitoringeffect | 0e6763cc-5078-4e64-889d-ff4d9a839047 | /providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Security Center | Azure Defender for Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | storageaccountsadvanceddatasecuritymonitoringeffect | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | /providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Security Center | Azure Defender for Storage should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversadvanceddatasecuritymonitoringeffect | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | /providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for Azure SQL Database servers should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.2 | sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect | 6581d072-105e-4418-827f-bd446d56421b | /providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421b | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Security Center | Azure Defender for SQL servers on machines should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | b91f4c0b-46e3-47bb-a242-eecfe23b3b5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | virtualmachinesadvancedthreatprotectionmonitoringeffect | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | /providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Security Center | Azure Defender for servers should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.3 | appservicesadvancedthreatprotectionmonitoringeffect | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | /providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Security Center | Azure Defender for App Service should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect | 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | /providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Security Center | Azure Defender for open-source relational databases should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect | 475aae12-b88a-4572-8b36-9b712b2b3a17 | /providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17 | azure_security_benchmark_v3.0_lt-5 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | Security Center | Auto provisioning of the Log Analytics agent should be enabled on your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderforresourcemanagershouldbeenabledmonitoringeffect | c3d20c29-b36d-48fe-808b-99a87530ad99 | /providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for Resource Manager should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | azuredefenderfordnsshouldbeenabledmonitoringeffect | bdc59948-5574-49b3-bb91-76b7c986428d | /providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428d | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Security Center | Azure Defender for DNS should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | microsoftdefendercspmshouldbeenabledmonitoringeffect | 1f90fc71-a595-4066-8974-d4d0802e8ef0 | /providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Security Center | Microsoft Defender CSPM should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | /providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Security Center | Email notification for high severity alerts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect | 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | /providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | Security Center | Subscriptions should have a contact email address for security issues |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect | 0b15565f-aa9e-48ba-8619-45960f2c314d | /providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d | azure_security_benchmark_v3.0_ir-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Security Center | Email notification to subscription owner for high severity alerts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identityremovedeprecatedaccountmonitoring | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | /providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474 | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Deprecated accounts should be removed from your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786 | fd1bb084-1503-4bd2-99c0-630220046786 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | containersadvancedthreatprotectionmonitoringeffect | 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | /providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Security Center | Microsoft Defender for Containers should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | identityremovedeprecatedaccountmonitoringnew | 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | /providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | azure_security_benchmark_v3.0_pa-4 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Security Center | Blocked accounts with read and write permissions on Azure resources should be removed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatemorethanoneownermonitoring | 09024ccc-0c5f-475e-9457-b7c0d9ed487b | /providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | Security Center | There should be more than one owner assigned to your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2 | a48d7796-14b4-4889-afef-fbb65a93e5a2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 7b266cd7-0bba-4ae2-8423-90ede5e1e898 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b | 7fd64851-3279-459b-b614-e2b2ba760f5b | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b5612 | 87d31636-ad85-4caa-802d-1535972b5612 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 94ddc4bc-25f5-4f3e-b527-c587da93cfe4 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Resources/subscriptions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | e0fd569c-e34a-4249-8c24-e8d723c7f054 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | identitydesignatelessthanownersmonitoring | 4f11b553-d42e-4e3a-89be-32ca364cad4c | /providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c | azure_security_benchmark_v3.0_pa-1 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | Security Center | A maximum of 3 owners should be designated for your subscription |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b2 | 21d96096-b162-414a-8302-d8354f9d91b2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 260691e6-68c2-47cf-bd4a-97d5fd4dbcd5 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f | 7aff565e-6c55-448d-83db-ccf482c6da2f | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | | Microsoft.Authorization/roleDefinitions | tbd | | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51a | a16c43ca-2d67-4dcd-9ded-6412f5edc51a | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | userbacrulesmonitoring | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | azure_security_benchmark_v3.0_pa-7 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | General | Audit usage of custom RBAC rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.MachineLearningServices/workspaces | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.machinelearningservices/workspaces/amlisdkv21657840272 | amlisdkv21657840272 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.MachineLearningServices/workspaces | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.machinelearningservices/workspaces/amlisdkv21657840272 | amlisdkv21657840272 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.MachineLearningServices/workspaces | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.machinelearningservices/workspaces/amlisdkv21657840272 | amlisdkv21657840272 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.MachineLearningServices/workspaces | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.machinelearningservices/workspaces/amlisdkv21657840272 | amlisdkv21657840272 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.ContainerRegistry/registries | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e482 | 8e35cf165ff74fad97f367b36208e482 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fda | amlisdkvstorage6d4542fda | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.ContainerRegistry/registries | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e482 | 8e35cf165ff74fad97f367b36208e482 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.ContainerRegistry/registries | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e482 | 8e35cf165ff74fad97f367b36208e482 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.ContainerRegistry/registries | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e482 | 8e35cf165ff74fad97f367b36208e482 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.ContainerRegistry/registries | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e482 | 8e35cf165ff74fad97f367b36208e482 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.ContainerRegistry/registries | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e482 | 8e35cf165ff74fad97f367b36208e482 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.KeyVault/vaults | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8 | amlisdkvkeyvault98f355a8 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | amlisdkv2-rg-1657840272 | Microsoft.ContainerRegistry/registries | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e482 | 8e35cf165ff74fad97f367b36208e482 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c | 15f35c5e8a03497d995b1ea56cecf47c | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c | 15f35c5e8a03497d995b1ea56cecf47c | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c | 15f35c5e8a03497d995b1ea56cecf47c | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.MachineLearningServices/workspaces | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.machinelearningservices/workspaces/cmontecillocommerce | cmontecillocommerce | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.MachineLearningServices/workspaces | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.machinelearningservices/workspaces/cmontecillocommerce | cmontecillocommerce | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790 | cmontecillocom7861358790 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c | 15f35c5e8a03497d995b1ea56cecf47c | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.MachineLearningServices/workspaces | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.machinelearningservices/workspaces/cmontecillocommerce | cmontecillocommerce | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c | 15f35c5e8a03497d995b1ea56cecf47c | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c | 15f35c5e8a03497d995b1ea56cecf47c | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c | 15f35c5e8a03497d995b1ea56cecf47c | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133 | cmontecillocom9046791133 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | cmontecillo-aip-commerce | Microsoft.MachineLearningServices/workspaces | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.machinelearningservices/workspaces/cmontecillocommerce | cmontecillocommerce | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.MachineLearningServices/workspaces | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.machinelearningservices/workspaces/hawestra-ws | hawestra-ws | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.MachineLearningServices/workspaces | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.machinelearningservices/workspaces/hawestra-ws | hawestra-ws | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.MachineLearningServices/workspaces | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.machinelearningservices/workspaces/hawestra-ws | hawestra-ws | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.MachineLearningServices/workspaces | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.machinelearningservices/workspaces/hawestra-ws | hawestra-ws | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.KeyVault/vaults | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938 | hawestraws0768095938 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | hawestra-rg | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314 | hawestraws9299687314 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21 | mlregoedfywus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1 | mlregoedfyeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21 | mlregoedfyeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1 | mlregoedfywus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfy | mlregoedfy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfy | mlregoedfy | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfy | mlregoedfy | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfy | mlregoedfy | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfy | mlregoedfy | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfy | mlregoedfy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-bugbash-eus | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfy | mlregoedfy | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2 | kicha-wus2 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2 | kicha-wus2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0 | f3c751bc90f549f9b903b5740be5eab0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0 | f3c751bc90f549f9b903b5740be5eab0 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0 | f3c751bc90f549f9b903b5740be5eab0 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0 | f3c751bc90f549f9b903b5740be5eab0 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0 | f3c751bc90f549f9b903b5740be5eab0 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2 | kicha-wus2 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2 | kicha-wus2 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0 | f3c751bc90f549f9b903b5740be5eab0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0 | f3c751bc90f549f9b903b5740be5eab0 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231 | kichawus20679782231 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390 | kichawus26605359390 | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-2 | kicha-wus2-2 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-2 | kicha-wus2-2 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-2 | kicha-wus2-2 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578 | kichawus220787411578 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155 | kichawus222942034155 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-2 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-2 | kicha-wus2-2 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a | 5bf2b362a0fc46448255d1ce1caa543a | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a | 5bf2b362a0fc46448255d1ce1caa543a | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a | 5bf2b362a0fc46448255d1ce1caa543a | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a | 5bf2b362a0fc46448255d1ce1caa543a | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a | 5bf2b362a0fc46448255d1ce1caa543a | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a | 5bf2b362a0fc46448255d1ce1caa543a | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142 | testwscrstorageee6a2a142 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-3 | kicha-wus2-3 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-3 | kicha-wus2-3 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-3 | kicha-wus2-3 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-3 | kicha-wus2-3 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/test_ws_creation | test_ws_creation | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/test_ws_creation | test_ws_creation | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/test_ws_creation | test_ws_creation | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.MachineLearningServices/workspaces | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/test_ws_creation | test_ws_creation | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a | 5bf2b362a0fc46448255d1ce1caa543a | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fa | testwscrkeyvault338249fa | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.KeyVault/vaults | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918 | kichawus239853796918 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | kicha-wus2-3 | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667 | kichawus238999360667 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | switzerlandnorth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187 | lantacreated076607435187 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020 | lantacreated070090630020 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846 | lantam3y2022wc7332165846 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created03-18-2022 | lanta-created03-18-2022 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created03-18-2022 | lanta-created03-18-2022 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created03-18-2022 | lanta-created03-18-2022 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-27-2022 | lanta-created07-27-2022 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created03-18-2022 | lanta-created03-18-2022 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-27-2022 | lanta-created07-27-2022 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-27-2022 | lanta-created07-27-2022 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-27-2022 | lanta-created07-27-2022 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-18-2022 | lanta-created07-18-2022 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 16578032510966501063 | 7620c34b29d73144 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-18-2022 | lanta-created07-18-2022 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 230577379976717429 | 69c7994a03e85cd7 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-18-2022 | lanta-created07-18-2022 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0 | azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect | 40cec1dd-a100-4920-b15b-3024fe8901ab | /providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Machine Learning | Azure Machine Learning workspaces should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 17665953961397091050 | ad163c031e38be6b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6b | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 5.0.0 | diagnosticslogsinkeyvaultmonitoring | cf820ca0-f99e-4f3e-84fb-66e913812d21 | /providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Key Vault | Resource logs in Key Vault should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | switzerlandnorth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681 | lantacreated078811670681 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534 | lantacreated073817376534 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.MachineLearningServices/workspaces | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-18-2022 | lanta-created07-18-2022 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 17718906224026410856 | c62acd4d95271d71 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 236466222583652451 | b8df08c9a5e7240d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc81 | 3e141df6df1d42e69a1416564e04fc81 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc81 | 3e141df6df1d42e69a1416564e04fc81 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc81 | 3e141df6df1d42e69a1416564e04fc81 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc81 | 3e141df6df1d42e69a1416564e04fc81 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc81 | 3e141df6df1d42e69a1416564e04fc81 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 8747153269957097825 | 196cc7343d351f3b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc81 | 3e141df6df1d42e69a1416564e04fc81 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacr | lantaacr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264 | lantacreated035018411264 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacr | lantaacr | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacr | lantaacr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 7716402687079202705 | c7f4766e826cc01b | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01b | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 5754393777034286197 | f6b63bfe5a86b464 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.1.0-preview | privateendpointshouldbeconfiguredforkeyvaultmonitoringeffect | 5f0bc445-3935-4915-9981-011aa2b46147 | /providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Key Vault | [Preview]: Private endpoint should be configured for Key Vault |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | firewallshouldbeenabledonkeyvaultmonitoringeffect | 55615ac9-af46-4a59-874e-391cc3dfb490 | /providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490 | System.Object[] | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Key Vault | Azure Key Vault should have firewall enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.0.0 | keyvaultsshouldhavesoftdeleteenabledmonitoringeffect | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | /providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Key Vault | Key vaults should have soft delete enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | /providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | azure_security_benchmark_v3.0_dp-8 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Key Vault | Key vaults should have purge protection enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | | | | | | | | 1.0.0 | | 5353f06bfd8b6546 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | Key-Vault-Soft-Delete-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | | | | 4df59e9ddb1bfd29 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd29 | | | | 6086086491514027311 | 992f05adeaae4147 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit2-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 4696422810491604004 | 7858cda978bcfbc2 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2 | | tbd | append | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacr | lantaacr | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc81 | 3e141df6df1d42e69a1416564e04fc81 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacr | lantaacr | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.KeyVault/vaults | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469 | lantacreated032242745469 | | | | 2338abe645719b8f | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f | | | | 13816903777777977516 | c8e4d0a348a1a362 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362 | | tbd | modify | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | AKV-SD-Initiative-v001 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacr | lantaacr | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | Lanta-RG | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacr | lantaacr | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1 | mlregontumscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1 | mlregontumneu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | uksouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1 | mlregontumuks1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | southeastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1 | mlregontumsea1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21 | mlregontumwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1 | mlregontumwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1 | mlregontumwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | westeurope | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1 | mlregontumweu1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontum | mlregontum | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontum | mlregontum | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontum | mlregontum | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontum | mlregontum | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontum | mlregontum | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontum | mlregontum | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.ContainerRegistry/registries | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontum | mlregontum | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | brazilsouth | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1 | mlregontumbrs1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japaneast | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1 | mlregontumjpe1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1 | mlregontumcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | canadacentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1 | mlregontumcac1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | centralindia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1 | mlregontumcind1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | northcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1 | mlregontumncus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | australiaeast | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1 | mlregontumaue1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | japanwest | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1 | mlregontumjpw1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1 | mlregontumeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastasia | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1 | mlregontumeas1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21 | mlregontumeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_private_preview_registry | Microsoft.Storage/storageAccounts | tbd | francecentral | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1 | mlregontumfrc1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnm | mlregfudnm | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54m | mlregjn54m | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnm | mlregfudnm | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 4175010915990660090 | 6b115614afdfb4f6 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnm | mlregfudnm | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54m | mlregjn54m | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54m | mlregjn54m | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 14964690428565797584 | f8e7133d43e7ae8a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnm | mlregfudnm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | containerregistriesshoulduseprivatelinkmonitoringeffect | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | /providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Container Registry | Container registries should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54m | mlregjn54m | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnm | mlregfudnm | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnm | mlregfudnm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffect | d0793b48-0edc-4296-a390-4c75d1bdfd71 | /providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Container Registry | Container registries should not allow unrestricted network access |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54m | mlregjn54m | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 2301613003442929976 | 449e441566d8792d | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792d | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54m | mlregjn54m | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnm | mlregfudnm | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.1 | containerregistryvulnerabilityassessment | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | /providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562 | System.Object[] | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Security Center | Container registry images should have vulnerability findings resolved |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.ContainerRegistry/registries | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54m | mlregjn54m | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 18329887977322141139 | 8ff43c0215fc2b5c | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5c | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21 | mlregjn54mwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1 | mlregjn54mscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1 | mlregjn54mwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | southcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1 | mlregfudnmscus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1 | mlregfudnmeus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1 | mlregfudnmwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12921375094189702933 | 3690c8076353f9 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9 | | tbd | auditifnotexists | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1 | mlregfudnmwus1 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.1 | storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | /providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Storage | Storage accounts should restrict network access using virtual network rules |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | | | | 160bc010a809a54c | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c | | | | 17090275662795447127 | 96d6d845984b3595 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit1-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2512910103565151903 | 33109c61cebcee66 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 5029525481295684804 | abfa13034515d626 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 12157946249499549379 | 8086c3485abfabde | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabde | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 2997960159391222263 | cc275f6260404a9a | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9a | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21 | mlregfudnmwus21 | | | | 47d8e1d3106c85a1 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1 | | | | 8127684034919606540 | ffb3acd578d03dc3 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3 | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | ASB-Audit3-Initiative-v1 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1 | | | |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21 | mlregfudnmeus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | storageaccountshoulduseaprivatelinkconnectionmonitoringeffect | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | /providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9 | azure_security_benchmark_v3.0_ns-2 | tbd | auditifnotexists | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Storage | Storage accounts should use private link |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 2.0.0 | securetransfertostorageaccountmonitoring | 404c3081-a854-4457-ae30-26a93ef643f9 | /providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9 | azure_security_benchmark_v3.0_dp-3 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Storage | Secure transfer to storage accounts should be enabled |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus | True | Compliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1 | mlregjn54meus1 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 1.0.0 | classicstorageaccountsmonitoring | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | /providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 | azure_security_benchmark_v3.0_am-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Storage | Storage accounts should be migrated to new Azure Resource Manager resources |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | eastus2 | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21 | mlregjn54meus21 | 55.0.0 | | | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | security center | | 3.1.0-preview | storagedisallowpublicaccess | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | /providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | azure_security_benchmark_v3.0_ns-2 | tbd | audit | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054 | | tbd | SecurityCenterBuiltIn | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltin | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Storage | [Preview]: Storage account public access should be disallowed |
| e0fd569c-e34a-4249-8c24-e8d723c7f054 | rai_registry | Microsoft.Storage/storageAccounts | tbd | westcentralus | False | NonCompliant | | /subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1 | mlregjn54mwcus1 | | | | ba5e650e435f7c81 | /providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c81 | | | 1.0 | 14852652528315679993 | f8db185c400632fd | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fd | | tbd | audit | | /providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792 | | tbd | SEC-NetIso-PaaS-v012 | /providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012 | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |